CISA, the FBI, and the Department of Health and Human Services (HHS) warned {that a} cybercrime group generally known as Daixin Team is actively focusing on the U.S. Healthcare and Public Health (HPH) sector in ransomware assaults.
The federal companies additionally shared indicators of compromise (IOCs) and ways, strategies, and procedures (TTPs) in a joint advisory issued at this time to assist safety professionals detect and block assaults utilizing this ransomware pressure.
“The Daixin Team is a ransomware and information extortion group that has focused the HPH Sector with ransomware and information extortion operations since no less than June 2022,” the advisory revealed.
Since June, Daixin Team attackers have been linked to a number of well being sector ransomware incidents the place they’ve encrypted programs used for a lot of healthcare providers, together with digital well being information storage, diagnostics, imaging providers, and intranet providers.
They’re additionally recognized for stealing affected person well being data (PHI) and private identifiable data (PII) and utilizing it for double extortion to strain victims into paying ransoms below the specter of releasing the stolen data on-line.
The ransomware gang beneficial properties entry to targets’ networks by exploiting recognized vulnerabilities within the organizations’ VPN servers or with the assistance of compromised VPN credentials belonging to accounts with multi-factor authentication (MFA) toggled off.
Once in, they use Remote Desktop Protocol (RDP) and Secure Shell (SSH) to maneuver laterally by the sufferer’s networks.
To deploy the ransomware payloads, they escalate privileges utilizing numerous strategies, comparable to credential dumping.
This privileged entry can also be used to “achieve entry to VMware vCenter Server and reset account passwords for ESXi servers within the setting” with the identical objective of encrypting the programs utilizing ransomware.
“According to third-party reporting, the Daixin Team’s ransomware is predicated on leaked Babuk Locker supply code,” the federal companies added.
“This third-party reporting in addition to FBI evaluation present that the ransomware targets ESXi servers and encrypts recordsdata positioned in /vmfs/volumes/ with the next extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom be aware can also be written to /vmfs/volumes/.”
Before encrypting their victims’ units, they use Rclone or Ngrok to exfiltrate stolen information to devoted digital personal servers (VPS).
U.S. well being organizations are suggested to take the next measures to defend towards Daixin Team’s assaults:
- Install updates for working programs, software program, and firmware as quickly as they’re launched.
- Enable phishing-resistant MFA for as many providers as attainable.
- Train staff to acknowledge and report phishing makes an attempt.
In August, CISA and the FBI additionally warned that attackers recognized for primarily focusing on the healthcare and medical industries with Zeppelin ransomware would possibly encrypt recordsdata a number of occasions, making file restoration extra tedious.