‘Daixin Team’ cyberattackers threatening health care organizations with ransomware

Published on: 

HHS, FBI, CISA issue joint alert against online threat with tips to bolster computer security.

A cybercrime group is actively targeting health care and public health practices, according to a new joint alert from federal agencies.

“Daixin Team” has been hacking into health-care-related computer networks and using ransomware for data extortion since June, said the advisory from the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services.

The group has used ransomware to encrypt servers responsible for health care services, including electronic health records, diagnostics, imaging, and intranet services. The group also has exfiltrated personal identifiable information and patient health information, threatening to release the information if a ransom is not paid, the government alert said.

Daixin Team has gained initial access to victims through virtual private network servers. In one case, Daixin Team likely exploited an unpatched vulnerability in an organization’s VPN server.

In another case, the attackers used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication enabled. The federal investigators believe the attackers acquired the VPN credentials using a phishing email with a malicious attachment.


Improve your cybersecurity

The CISA advisory has additional technical details, ransom note samples, and potential cybersecurity improvements online. The details deal with protecting against malicious activity, preparing for, mitigating, preventing, and responding to ransomware.

CISA recommends three actions to take today to mitigate cyber threats from ransomware:

• Install updates for operating systems, software, and firmware as soon as they are released.
• Require phishing-resistant MFA for as many services as possible.
• Train users to recognize and report phishing attempts.


For organizations that have been hacked, the FBI is seeking any information that can be shared, including boundary logs showing communications with foreign Internet addresses, sample ransom notes, communications with Daixin Group hackers, Bitcoin wallet information, decryptor files, or benign samples of encrypted files.

CISA maintains, a website with advisories, security measures, and steps to take if your company is hacked. Organizations should report ransomware incidents to FBI field offices or CISA.