U.S. authorities are urging healthcare organizations to be on the lookout for the Daixin Team, a new ransomware group that has been targeting the healthcare sector since June.
The U.S. Cybersecurity and Infrastructure Security Agency, FBI and Department of Health and Human Services’ joint advisory says the Daixin Team has been targeting healthcare organizations with ransomware and data extortion operations and have caused major security incidents at multiple organizations.
According to the advisory, the Daixin Team has deployed ransomware to encrypt servers responsible for healthcare services, such as electronic health records, diagnostic services, imaging services and intranet. The group also seeks to exfiltrate personal information and health information of patents, threatening to release the data if a ransom is not paid.
Ransomware actors with the Daixin Team gain access to victim networks through VPN servers, including exploiting unpatched vulnerabilities in the server. Other methods include using phishing to compromise credentials to access legacy VPN servers without multifactor authentication enabled.
After obtaining access to the victim’s VPN server, Daixin actors use Secure Shell (SSH) and Remote Desktop Protocol (RDP) to move laterally, according to the advisory. Officials say Daixin actors also seek to gain access to privileged accounts through credential dumping and pass the hash to access VMware vCenter Server and reset passwords for ESXi servers in the environment.
The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [on those servers, per the advisory.
According to the advisory, the actual Daixin Team ransomware is based on leaked Babuk Locker source code. This third-party reporting and FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/.
Like many other ransomware groups, Diaxin hackers also exfiltrate data using publicly available tools.
Recommendations listed in the advisory follow other standard ransomware mitigation measures, such as implementing multifactor authentication, patching systems, securing RDP, segmenting networks and more.
However, agencies also call on healthcare organizations to better secure patient data, including encryption and firewall protection.
Read the advisory for more information.