The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a joint advisory about DAIXIN Team, a fledgling ransomware and data exfiltration group that has been targeting US healthcare.
First spotted in June 2022, the DAIXIN Team quickly got the government's attention after executing multiple ransomware attacks against organizations in the health and public health sector. As is standard these days, the ransomware attacks involved both encrypting servers and stealing data. In this case the data included both personally identifiable information and patient health information PHI.
The DAIXIN leak site
The advisory reports that DAIXIN Team has been seen gaining initial access to victims' systems through their VPN severs. In one case they accessed a victim through an unpatched vulnerability, and in another the gang used phished credentials.
Upon successful infiltration, the team conducts reconnaissance, escalates privileges through credential dumping or the pass-the-hash technique, steals sensitive data, and deploys ransomware based on the Babuk Locker source code leaked in 2021.
According to Malwarebytes' Malware Intelligence Analyst and ransomware expert Marcelo Rivero, DAIXIN Team has been quieter of late. "At this time, they appear to have taken a hiatus, as they haven't listed any new victims so far this month."
As with most ransomware groups, DAIXIN team publishes details of its victims and leaks their stolen data, if they don't pay the ransom. After publishing details of three victims in August, it only published one in September, and so far none in October, with November just around the corner. A lack of published victims may indicate inactivity, or it could be that DAIXIN Team have been successful at persuading victims to pay up.
Still, healthcare organizations must heed the alarm raised by the FBI, CISA, and the HHS. They report that out of 649 ransomware reports received by the FBI Internet Crime Complaint Center in 2021, 148 were in the Healthcare and Public Health sector. DAIXIN Team may be the latest ransomware threat, but it isn't the only threat.
Basic mitigations can close the loopholes ransomware groups exploit:
- Create a plan for patching software in a timely manner.
- Train users to report suspicious emails and phishing attempts.
- Require two-factor authentication (2FA) on remote desktops and VPNs.
- Use endpoint security software with EDR to identify intruders and stop ransomware.
- Assign access rights according to the Principle of Least Privilege.
- Segment networks to make lateral movement more difficult.
- Create and test offline, offsite backups that are beyond the reach of attackers.
For more information about how to protect your organization against DAIXIN Team and other ransomware gangs, go to this AA22-294A alert page.