US warns healthcare sector of ransomware gang Daixin

Three US government bodies have jointly issued warnings about a ransomware gang known as the Daixin Team which has been targeting the American healthcare sector.

An alert warning about the gang – which has been targeting the health sector in the US “since at least June 2022” was published by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) on Friday.

The warning describes how, over the past four months, the group has been linked to multiple ransomware incidents in the Healthcare and Public Health (HPH) sector, encrypting servers related to electronic health records, diagnostics, imaging, and intranet services.

The Daixin Team is also said to have exfiltrated personal identifiable information (PII) and patient health information (PHI) as part of a double extortion scheme to secure ransoms from victims.

The CISA statement reported that Daixin actors appeared to have gained initial access to victims through virtual private network (VPN) servers.

In one confirmed compromise the agencies report that the criminals “most likely exploited an unpatched vulnerability in the organisation’s VPN server”.

In another instance, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled.

According to The Hacker News, victims are reported to have included Oakbend Medical Center, which suffered an attack last month, with the group claiming to have siphoned roughly 3.5GB of data, including over one million records with patient and employee information.

The ransomware gang also published a sample containing 2,000 patient records on its data leak site, which included names, genders, dates of birth, Social Security numbers, addresses, and other appointment details, according to DataBreaches.net.

According to Darren Williams, CEO and founder of anti-ransomware specialist BlackFog, the healthcare sector is often a soft target as it has lower levels of protection in place and a general lack of cybersecurity investment.

“Our research shows that healthcare is consistently in the top three of all targeted sectors, hardly a surprise given the wealth of personal data available and the opportunity for double extortion attacks,” he said.

“We know that virtually all ransomware attacks now focus on data exfiltration – the problem we have is that organisations continue to rely on existing defensive technologies that simply aren’t up to the job of preventing these attacks. To secure valuable data, newer technologies such as anti-data exfiltration must be added to the security stack,” he added.

For more advice on ransomware prevention and mitigation, read our brand new special report.