Daixin Team Ransomware Group Actively Targeting Healthcare Sector

October 24, 2022 - The Daixin Team ransomware and data extortion group is an active threat to the healthcare sector, The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and HHS warned in a cybersecurity advisory (CSA).

The group has been active since at least June 2022 and has executed multiple attacks against the healthcare sector. Specifically, the group has deployed ransomware to encrypt servers that are essential to healthcare, such as EHR systems, diagnostic services, and imaging services.

In addition, the group has been known to exfiltrate protected health information (PHI) and hold it for ransom.

“Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190],” the advisory stated.

“In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [T1078] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.”

Once they have obtained access, Daixin actors can move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). The Daixin Team’s software is likely based on Babuk Locker source code, the advisory explained. The advisory contained detailed indicators of compromise (IOCs) and pictures of common Daixin ransom notes.

CISA, FBI, and HHS urged the healthcare sector to take action to protect against Daixin Team activity. Healthcare organizations should install updates and prioritize patching VPN servers, remote access software, known vulnerabilities, and virtual machine software.

In addition, the federal entities urged the sector to require phishing-resistant multifactor authentication (MFA) “for as many services as possible,” and to secure and monitor RDP.

In addition to network segmentation and strong data access management policies, the advisory reminded healthcare organizations to secure PHI as required by HIPAA.

“Implementing HIPAA security measures can prevent the introduction of malware on the system,” the advisory stated.

The advisory also contained extensive guidance for preparing for, preventing, and responding to ransomware incidents. Healthcare organizations should ensure that all backup data is encrypted, maintain cyber incident response plans, and implementing user training programs.

“FBI, CISA, and HHS strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered,” the advisory concluded.

“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”