What You Need to Know About the Daixin Team Ransomware Group

Originally published by Titaniam.

Ransomware attacks are common and becoming more creative. However, as attackers evolve, so do their decisions of targets and methodology. As of October 2022, the FBI’s Internet Crime Complaint Center (IC3) holds victim reports across all 16 critical infrastructures, but the healthcare and public health sector made up 25% of ransomware complaints.

This year, the Daixin Team Ransomware Group has caused chaos for healthcare data security teams. If you are looking to research the Daixin Team ransomware attacks on the healthcare sector, investigate solutions that can be put in place to minimize these attacks from happening again, or learn more about how to prevent their encryption-based attack, look no further!

What is the Daixin Team?

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and HHS (Department of Health & Human Services) has warned in a cybersecurity advisory that “The Daixin Team ransomware and data extortion group is an active threat to the healthcare sector.” Since June 2022, the group has been targeting businesses and primary healthcare organizations. What makes them so dangerous to healthcare organizations is that they have deployed ransomware to encrypt the essential servers of healthcare professionals.

How do they work?

The Daixin Team is not unique in the way that when they target a hospital, it is to steal this sensitive information. They complete this task by encrypting the servers responsible for running the place. Another goal these healthcare cyber attackers may have is to exfiltrate PII and patient health information (PHI), then threaten to release the data if the organization refuses to pay the demanded amount of ransom.

While healthcare data has become a target for ransomware, Daixin Team’s technical approach and note at the end leaves you with no mystery in wondering who has your PHI. Here’s their methodology.

Step One:

Daixin Team actors will use a virtual private network (VPN) server to gain access to their target’s systems. This exact infiltration method has ranged from getting credentials through phishing emails and then getting in through a lack of Multi-Factor Authentication (MFA) or cybercriminals exploiting an unpatched vulnerability in the target organization’s own VPN server.

Step Two:

Once they are in the system, Daixin actors can move throughout via Secure Shell (SSH) and Remote Desktop Protocol (RDP) with software based on Babuk Locker source code. According to the agencies in the advisory, the privileged accounts allowed the attackers to get into VMware vCenter Servers. Once they reset account passwords for ESXi servers, they deploy their ransomware.

Step Three:

Once they are freely moving about the network, Daixin actors look for PII/PHI to exfiltrate. Data is exfiltrated before Step Four and used as additional leverage to collect ransom.

Step Four:

Daixin actors then proceed to encrypt the system and the victim sees a note such as:

What differentiates healthcare cyberattacks?

For providers, their services are no longer safe to host personally identifiable information (PII) or personal health information (PHI) as patients’ records are at the mercy of the Daixin Team. Hospitals are already vulnerable locations, as their clientele are patients who may need critical care.

Given the volume of sensitive data they store, the number of connected devices they utilize, and the possibility that a disruption in crucial treatment could force organizations to pay the ransom. Also PHI fetches very good prices on the dark web and Daixin actors are motivated by this additional revenue stream as well. For these reasons healthcare data and their facilities have grown to be a popular public sector target of ransomware and extortion operators.

If it has already happened to your organization, it is not your fault, and you are in the right place to protect your organization moving forward. Let’s discuss preventing these dire consequences and keeping your patients’ care going throughout a Daixin Team attempt.

What does the US healthcare system suggest regarding data protection and cybersecurity?

Some of the suggestions for how to keep healthcare data secure, according to the warning advisory, include:

• Keeping operating systems, software, and firmware updated
• Securing and monitoring RDP
• Requiring MFA as much as possible
• Implementing network segmentation
• Turning off SSH are all ways suggested by the three advisory agencies to keep healthcare data secure.
• The advisory also suggested ensuring that healthcare organizations must secure PHI as required by HIPAA to prevent the initial introduction of bad actors into the system. HIPAA data is typically required to be secured via encryption.

Traditionally, encryption of healthcare data was only available while data was at rest i.e. not being actively utilized. This meant that when bad actors such as Daixin attackers successfully broke in, they could easily decrypt it using stolen credentials. However, now there are other solutions offering encryption-in-use, that can ensure that even if attackers have access to admin credentials, they cannot get to PII and PHI in unencrypted form. These systems promote immunity to the attacks to further protect organizations.