Federal agencies, including the Department of Health, FBI and CISA, warned that the Diaxin ransomware group is actively targeting the healthcare sector. (Photo by Joe Raedle/Getty Images)

The Daixin ransomware group is actively, and successfully, targeting the healthcare sector in force, with multiple provider organizations facing extortion claims after falling victim to the actors’ tactics since June, according to an urgent joint alert from multiple federal agencies.

While Daixin’s cyberattacks hit all industries, public health and healthcare entities are the predominant targets.

The joint alert from the Department of Health and Human Services, the FBI, and the Cybersecurity and Infrastructure Security Agency sheds light on Daixin’s tactics and provides recommendations for remediating risks around this pressing threat, while urging provider organizations to take swift action to prevent falling victim.

“This particularly urgent alert is directly relevant to ongoing ransomware threats currently targeting hospitals and health systems,” John Riggi, AHA’s national advisor for cybersecurity and risk, said in a statement. Providers should review indicators of compromise as “if there is any indication of this ransomware being present on hospital or health system networks, it is recommended that immediate steps be taken to contain, isolate and remediate.”

The alert notes, and Rigg confirms, that it’s also strongly recommended that local FBI and CISA field offices be contacted immediately if any ransomware IOCs are uncovered on the network.

The healthcare sector vs. the Daixin ransomware group

Daixin began targeting the healthcare sector with extortion and ransomware operations as early as June, leaving a trail of network disruptions and data exfiltration in its wake.

These attacks include deploying ransomware on servers, providing leverage from healthcare services, including electronic health records, diagnostics, imaging, and intranet, in addition to extortion attempts based on exfiltrated protected health information and personally identifiable information 

One of Daixin’s most notable victims was the OakBend Medical Center cyberattack, which resulted in weeks of network outages. The data proofs posted on the group’s dark-web site showed over 1 million records allegedly pulled from the hospital’s internal servers.

Initial access is typically gained by targeting weakness in virtual private network (VPN) servers, while its ransomware variant is based on the Babuk Locker source code.

The alert reveals that in one confirmed incident, Daixin likely exploited an unpatched security flaw in the organization’s VPN server. In another compromise, the actors leveraged compromised credentials against a legacy VPN that failed to employ multi-factor authentication. The credentials were stolen through a phishing email that contained a malicious link.

“In one confirmed compromise, the actors used Rclone — an open-source program to manage files on cloud storage — to exfiltrate data to a dedicated virtual private server,” according to the alert. “In another compromise, the actors used Ngrok — a reverse proxy tool for proxying an internal service out onto an Ngrok domain — for data exfiltration.”

Once inside, the actors move laterally across the network using various means, including the Remote Desktop Protocol and Secure Shell. With SSH access, the actors can “connect to accessible ESXi servers and deploy ransomware on those servers.”

The group has also been observed attempting to gain access to privileged accounts through credential dumping and “pass the hash.” Successful attempts enable the actors to access VMware vCenter Servers, before resetting the account passwords for ESXi servers in the environment. 

The alert contains full details into each tactic and the techniques used by Daixin, in hopes that healthcare entities will review these processes and apply the recommended measures. The insights also include indicators of compromise for review.

The leading actions include ensuring updates have been installed on all operating systems, software, and firmware, using multi-factor authentication “for as many services as possible” but particularly for webmail, and turning “off SSH and other network device management interfaces such as Telnet, Winbox, and HTTP for WANs and secure with strong passwords and encryption when enabled.”

The recommendations will also support defense measures for other ransomware attacks, an important process as overall ransomware attacks against the healthcare sector have remained consistent in the last few years. The latest data from the FBI Internet Complaint Center shows the healthcare sector accounts for 25% of attacks against critical infrastructure this year, so far. 

In 2021, the industry had the most reports with 148 successful ransomware attacks.