HQ/EMEAFind out how we can help your business
According to a joint advisory from law enforcement agencies in the US, the Daixin Team has an ongoing ransomware operation against US-based healthcare organisations.
These federal agencies have published indicators of compromise and the TTPs used by the threat group for executing their operation. These IOCs could aid security experts in tracing and blocking the attacks of this threat group.
The Daixin Team is a data extortion and ransomware group that has targeted numerous health sectors. The most recent ransomware and data extortion that the group executed was in June this year.
After its operations last June, the Daixin Team have been connected to multiple ransomware incidents against healthcare entities where they have encrypted systems used for services. These attacks have led to the damage of electronic health records, diagnostics, intranet services, and imaging services.
Daixin Team has also stolen troves of data from its targets.
A separate researcher noted that the Daixin Team is notorious for stealing patient and personally identifiable information. The group uses these details to apply double extortion tactics to pressure its targets into paying ransoms.
Moreover, this ransomware group is notorious for exploiting known vulnerabilities to infiltrate its targeted organisations. Most of the vulnerabilities used by the group are related to VPN servers with the aid of compromised VPN credentials owned by accounts that do not employ MFA.
Once the group breaches a network, they will use RDP and SSH to navigate laterally across the targeted system. Subsequently, the group will escalate its privileges through various methods like credential dumping to launch its ransomware payloads.
This privileged access is also used to “gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment” with the same goal of encrypting the systems using ransomware.
However, the group first used Ngrok and Rclone to exfiltrate the stolen data to dedicated VPS before encrypting their target’s device.
The law enforcement agencies urge the US health organisations to take several preventive measures to defend against Daixin Team’s ransomware operations. Healthcare entities should install updates for their OS, software, and firmware if available.
They are also advised to employ phishing-resistant MFA for as many services as they can provide. Lastly, these entities should educate and train their employees to spot phishing attempts.
