Daixin Ransomware Group Actively Targeting Public and Private Healthcare Organizations with Data Theft, Ransom Demands
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) in October 2022 released a joint Cybersecurity Alert about the Daixin Team. Daixin is a cybercrime gang aggressively targeting U.S. businesses, predominantly in healthcare and public health, with new ransomware attacks and data extortion schemes.
Healthcare organizations are frequent and popular ransomware targets for a variety of reasons. Through October 2022, healthcare accounted for 25% of all ransomware complaints submitted to the FBI Internet Crime Complaint Center (IC3). For the year 2021, healthcare ransomware complaints totaled 23%, the most reports from any sector that year.
How Daixin Gains Access to Your Healthcare Data
According to the Alert, Daixin hackers gain access to sensitive data in healthcare networks and systems in several ways, including:
- Exploiting vulnerabilities in your organization’s virtual private network (VPN) server.
- Using previously compromised credentials to access a legacy VPN server that has not enabled multifactor authentication (MFA).
- Acquiring VPN access credentials through phishing emails with malicious attachments.
Once Daixin has obtained unauthorized access to your VPN servers, they can move laterally within your system via Secure Shell Protocol (SSH) and Remote Desktop Protocol (RDP).
They may access privileged accounts through credential dumping and ‘pass the hash’ techniques. Then, they can use the compromised accounts to access your VMware vCenter Servers and reset account passwords for VMware ESXi servers in the environment. Finally, they can employ SSH to connect to your ESXi servers and install ransomware on them. Boom.
In addition to launching new ransomware attacks, Daixin hackers may exfiltrate data from your servers. They have been known to use an open-source program called Rclone, which manages files in cloud storage, to move data to their own dedicated virtual private servers as well as Ngrok, a reverse proxy tool, to exfiltrate data.
What You Should Do to Reduce Your Risk
The FBI, CISA & HHS Alert of October 2022 urges healthcare organizations to take immediate actions to safeguard their systems against the growing ransomware threat and related malicious activity. Most of this guidance isn’t new—it simply needs to be implemented.
- Patch Promptly. Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching your VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. Consider using a centralized patch management system to automate and expedite the process.
- Require MFA. Require phishing-resistant Multifactor Authentication for as many services as possible. This is especially important for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
- Secure RDP. If you use Remote Desktop Protocol (RDP), secure and monitor it.
- Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure.
- After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require multifactor authentication to mitigate credential theft and reuse.
- If RDP must be available externally, use a virtual private network, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
- Monitor remote access/RDP logs. Block brute force campaigns by enforcing account lockouts after a specified number of attempts. Log RDP login attempts. And disable unused remote access/RDP ports.
- Ensure devices are properly configured and that security features are enabled. Misconfiguration is a common source of vulnerability in organizations of all kinds. Disable ports and protocols that are not being used for business purposes (for example, RDP Transmission Control Protocol Port 3389).
- Secure SSH. Turn off Secure Shell Protocol and other network device management interfaces, such as Telnet, Winbox, and HTTP for wide area networks. When enabled, secure with strong passwords and encryption.
- Segment Network. Implement and enforce multilayer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
- Authenticate Connections. Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record (EHR) system. This will also ensure data packages are not manipulated while in transit by man-in-the-middle attacks.
- Avoid Admin Accounts. Use standard user accounts on internal systems instead of administrative accounts. Admin accounts enable overarching administrative system privileges and do not ensure the least privilege principle.
- Secure PII and ePHI. Secure personally identifiable information (PII) and electronic protected health information (ePHI) at collection points. Encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TLS). Only store patient data on internal systems that are protected by firewalls. Make sure that extensive, up-to-date, usable backups are available in the event your data is ever compromised.
- Comply with HIPAA. Secure the collection, storage, and processing practices for PII and PHI as required by HIPAA and other applicable regulations. Implementing HIPAA security measures can prevent the introduction of malware on networks and systems.
- Mask PAN. Protect stored data by masking the permanent account number (PAN) when it is displayed. Render it unreadable when it is stored through cryptography or similar technique.
- Monitor IoT. Use monitoring tools to observe whether IoT devices are behaving erratically, which can occur when devices are compromised.
- Complete Policies. Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII and PHI.
In addition, the Alert urges all organizations, whether in healthcare or other industries, to follow recommendations to prepare specifically for ransomware attacks.
Preparing for New Ransomware Attacks
Take advantage of all available expert resources, such as the CISA Ransomware Guide and Fact Sheet entitled Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches. This resource offers guidance for creating a ransomware response checklist, and for planning and responding to data breaches caused by ransomware attacks.
- Backup Your Data. Maintain offline, physically disconnected backups of data, and regularly test backup and restoration procedures. These practices can safeguard your organization’s operational continuity, or at least minimize downtime from a ransomware incident, and protect against data losses. Ensure all backup data is encrypted, cannot be altered or deleted, and covers the entire organization’s data infrastructure.
- Plan Your Response. Create, maintain, and exercise a cyber incident response plan and associated communications plan that include procedures for responding to a ransomware incident, and notifying interested parties of a data breach. Ensure the procedures adhere to applicable state laws.
- ePHI Notification. For breaches involving electronic protected health information (ePHI), you may need to notify the Federal Trade Commission, the Department of Health and Human Services, and possibly the media. Refer to the FTC Health Breach NotificationRule and HHS Breach Notification Rule for specifics.
Responding to a Ransomware Attack
In the event that your organization experiences a ransomware incident, the FBI, CISA & HHS Alert provides the following advice.
- Activate your organization’s Ransomware Response Plan and follow the checklist you created as part of the plan and the notification procedures outlined in the plan. This is not the time to be winging it, and your plan will ensure that you take all the necessary steps in logical sequence.
- Locate your most current data backup and, if possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing your vital backup data to potential compromise.
- Report ransomware incidents to the FBI at a local FBI Field Office or the FBI Internet Crime Complaint Center, or to the CISA at https://www.cisa.gov/report.
It is important to understand that the FBI, CISA, and HHS strongly discourage paying ransoms to recover your data for several reasons. First, doing so does not guarantee the return of your files and records. Second, according to the Alert, making ransom payments may embolden hackers to target other organizations and continue to spread ransomware. Third, paying ransoms for your data can encourage other cybercriminals to expand their operations to include ransomware exploits. Finally, paying ransoms can help to fund other illicit or criminal activities.
Healthcare organizations continue to be frequent and popular ransomware targets, and new ransomware attacks launched by Daixin honor the tradition. Through October 2022, healthcare accounted for 25% of all ransomware complaints submitted to the FBI Internet Crime Complaint Center (IC3). In 2020, healthcare accounted for 77% of all data breaches affecting 500 records or more, including ransomware and all other attack vectors.
The FBI, CISA & HHS Joint Alert published in October 2022 provides actionable guidance for safeguarding your organization from Daixin and other ransomware rings. CISA offers numerous free resources for guidance in securing your data. Assistance is also available from expert sources who specialize in the healthcare industry and HIPAA compliance, such as 24By7Security. Several global cybersecurity frameworks have been streamlined recently to make it even easier to comply with healthcare data security and privacy regulations. With so much help available, there is no excuse for healthcare organizations to allow themselves and their patients to be victimized by hackers, attackers, and other bad actors.