Ransomware Group Is Targeting U.S. Healthcare Sector: FBI

FBI Agent Using a Laptop

U.S. Federal agencies released a security advisory on Friday, October 21, warning that the Daixin Team ransomware group is actively targeting U.S. businesses, particularly organizations in the health sector.

The joint advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) said the group has attacked multiple organizations in the health sector since June.

The Daixin Team exploits unpatched vulnerabilities and also uses stolen credentials to hack into the virtual private network (VPN) servers of targeted organizations. The group does not just deploy ransomware to encrypt the data on these servers but also siphons the personal data of patients and their health records, threatening to release them if targets do not comply with their ransom demands.

So far, the group has targeted servers used to store health records, and those used to provide diagnosis, imaging, and intranet services.

Hacking VPN Servers

The advisory highlighted two separate attacks from the Daixin Team, where the group hacked VPN servers to access sensitive files on targeted networks. In one instance, the group “likely” exploited a software vulnerability in a VPN server. In another, the group leveraged stolen credentials, possibly harvested from an email phishing attack, to access a VPN server that did not have multi-factor authentication (MFA).

The group also uses credential dumping to bypass security and hijack administrative privileges on victims’ systems.

Once they have access, the Daixin Team moves laterally inside a compromised system via Secure Shell (SSH) and Remote Desktop Protocol (RDP). They leverage administrative access to reset account passwords on VMware vCenter servers and deploy ransomware on ESXi servers.

The Daixin Team usually leaves a ransom note that reads: “Welcome to the ransomware world! We have infiltrated critical documents and information from your network. Your systems are encrypted.” The message contains instructions on how to contact the group through the dark web.

U.S. Health Sector in the Crosshairs

The U.S. health sector appears to be in the crosshairs of cybercriminals, and it’s not just the Daixin Team that poses a threat. Over the past two years, we have reported on the threat of ransomware like Cerber and Ryuk to healthcare organizations.

In October 2020, the FBI and CISA released an advisory warning healthcare organizations to improve the security of their networks after ransomware attacks on four healthcare centers in just one week.

In May 2021, the FBI identified at least 16 different Conti ransomware attacks on healthcare and first responder networks.

According to the FBI’s Internet Crime Report 2021, there were 649 complaints to the Internet Crime Complaint Center (IC3) about ransomware attacks on organizations in critical infrastructure sectors last year. Of all 16 sectors, healthcare and public health organizations saw the most attacks — 148. In comparison, the IC3 recorded just 89 ransomware attacks on financial services companies and 74 on information technology (IT) companies.

Security Recommendations

The FBI, CISA, and HHS outlined several security recommendations for U.S. businesses and healthcare providers to fend off the Daixin Team and other ransomware groups. You can read more about it here.

Are you interested in learning more about how to secure your systems and protect your organization from ransomware? Check out our in-depth guide to ransomware for some valuable security tips.

If your organization suffers a ransomware attack, report it to your local FBI Field Office, CISA, or Secret Service Field Office.

U.S. security agencies, including the FBI and CISA, strongly advise against paying ransom to cyber criminals as it does not guarantee you’ll be able to recover your files.

“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the advisory said.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.