Ransomware blocking users laptop computer

Daixin Ransomware Group Is Actively Targeting The Healthcare Sector

Daixin a ransomware group is actively targeting U.S. companies, according to CISA, the FBI, and the Department of Health and Human Services (HHS). With ransomware attacks, their primary target is the Healthcare and Public Health (HPH) Sector.
In a recent combined advisory release, the government agencies also offered indicators of compromise (IOCs) and tactics, methods, and procedures (TTPs) to help security experts in identifying and blocking attacks utilising this ransomware outbreak.

The group has tried many attacks on the healthcare industry since at least June 2022. In particular, the group has used ransomware to encrypt servers that are critical to the healthcare system, including EHR systems, diagnostic tools, and imaging services.

According to the advisory:

Since at least June 2022, The Daixin Team has been analysing extortion and ransomware attacks on the HPH Sector. Daixin actors have caused ransomware incidents at multiple HPH Sector organizations.

CISA claims that during these attacks, servers in control of providing healthcare services were encrypted using ransomware, and personally identifiable information (PII) and protected health information (PHI) were stolen and warned to be leaked if a ransom was not paid.

How did Daixin access the system?

The ransomware group uses compromised VPN credentials from users with multi-factor authentication (MFA) turned off or known vulnerabilities in the enterprises’ VPN server to access the targets’ networks.

According to the experts, Babuk Locker source code is probably the root of the Daixin Team’s programme. An image of a typical Daixin ransom letter was included, along with a list of specific indications of compromise (IOCs). Attackers enter the victim’s network and navigate laterally using Secure Shell (SSH) and Remote Desktop Protocol (RDP).

Ransom message from Daixin Group
Ransom message from Daixin Group (CISA)

The attackers utilised different techniques, including credential dumping and pass the hash, to escalate privileges to spread the ransomware. They exploited Rclone or Ngrok to part of a shared stolen data to specialised virtual private servers (VPS) before encrypting their targets’ devices.

To accomplish the same objective of using ransomware to encrypt the systems, this privileged access is also utilised to get access to VMware vCenter Server and reset account passwords for ESXi hosts in the environment.

According to CISA Advisory:

The actors have used privileged accounts to gain access to VMware vCenter Server and reset account passwords [T1098] for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [T1486] on those servers.


The health sector was urged to take steps to protect against Daixin Team operations by CISA, FBI, and HHS. Healthcare institutions should prioritise updating known vulnerabilities, remote access software, VPN servers, and virtual machine software.

The federal authorities advised the businesses to protect and monitor RDP and to implement spam detection multifactor authentication (MFA) for as many services as feasible.

CISA urged healthcare institutions to secure PHI as necessary by HIPAA in along with network segmentation and strict data access management procedures.

The CISA report also included effective help on how to detect, prevent, and handle ransomware attacks. Healthcare businesses need to make sure that all backup data is protected, keep up with cyber incident response (IR) procedures, and put user education programmes into action. The actual statement of the advice includes a detailed list of mitigations as well as protective measures.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts