A warning has been issued by the Cybersecurity and Infrastructure Security Agency (CISA), teh Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) to raise the health sector’s awareness of a new data extortion and ransomware gange called Daixin team. Daixin Team first came to light in June 2022, primarily targeting organizations in the health and public health sectors with data extortion and ransomware campaigns . As a result of the attacks, data has been encrypted , which has also prohibited access to electronic health records and severely disrupted healthcare services, including diagnostics, imaging, and appointments. The observed tactics, techniques, and processes employed by the Daixin team have been shared in the #StopRansomware: Daixin Team – Alert along with indicators of compromise (IoCs) and many suggested mitigations to make it more difficult for campaigns to succeed.
In order to exploit sensitive information as leverage to extort money from victims, Daixin Team hacks into healthcare networks, performs reconnaissance, and detects and infiltrates sensitive data. The group urges victims not to cooperate with ransomware removal companies and tries to get in touch with them personally. The gang threatens to make the stolen information publicly available if contact is not made within five days of the attack. Daixin Team is notorious for leveraging compromised VPN passwords for accounts that do not have multi-factor authentication enabled to penetrate the networks of victims by taking advantage of weaknesses in VPN servers. In a number of attacks, the organization has used phishing emails with malware attachments to steal VPN credentials. As soon as they have access, they move between networks using Secure Shell (SSH) and Remote Desktop Protocol (RDP), escalate privileges through credential dumping and passing the hash, exfiltrate data, and then launch their ransomware payload, which is thought to be based on publicly available Babuk Locker ransomware code.
A number of mitigations have been recommended by the FBI, CISA, and the HHS to help support healthcare organizations in securing their sensitive information. These safeguards include:
- Timely patching and maintaining software updates.
- Implementing phishing resistant multi-factor authentication.
- Secure or disable the Remote Desktop Protocol.
- Disabling SSH and network device management interfaces for wide area networks.
- Improving password security using powerful encryption.
- putting multi-layer network segmentation into practice and enforcing it.
- limiting access to data using digital certificates and public key infrastructure to verify device connections.
- Using encryption to protect ePHI at collection points.
- Ensuring ePHI is handled in accordance with the HIPAA Security Rule.
The FBI has urged healthcare organizations to promptly report all ransomware incidents to the local FBI Field Office or CISA’s website, regardless of whether the organization has chosen to pay the ransom.