How to protect against the Daixin Team Ransomware Group
Ransomware attacks are common and becoming more creative. However, as attackers evolve, so do their decisions of targets and methodology. As of October 2022, the FBI’s Internet Crime Complaint Center (IC3) holds victim reports across all 16 critical infrastructures, but the healthcare and public health sector made up 25% of ransomware complaints.
This year, the Daxin Team Ransomware Group has caused chaos for healthcare data security teams. If you are looking to research the Daixin Team ransomware attacks on the healthcare sector, investigate solutions that can be put in place to minimize these attacks from happening again, or learn more about how to prevent their encryption-based attack, look no further!
What is the Daixin Team?
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and HHS (Department of Health & Human Services) has warned in a cybersecurity advisory that “The Daixin Team ransomware and data extortion group is an active threat to the healthcare sector.” Since June 2022, the group has been targeting businesses and primary healthcare organizations. What makes them so dangerous to healthcare organizations is that they have deployed ransomware to encrypt the essential servers of healthcare professionals.
How do they work?
The Daixin Team is not unique in the way that when they target a hospital, it is to steal this sensitive information. They complete this task by encrypting the servers responsible for running the place. Another goal these healthcare cyber attackers may have is to exfiltrate PII and patient health information (PHI), then threaten to release the data if the organization refuses to pay the demanded amount of ransom.
While healthcare data has become a target for ransomware, Daixin Team’s technical approach and note at the end leaves you with no mystery in wondering who has your PHI. Here’s their methodology.
Step One: Daixin Team actors will use a virtual private network (VPN) server to gain access to their target’s systems. This exact infiltration method has ranged from getting credentials through phishing emails and then getting in through a lack of Multi-Factor Authentication (MFA) or cybercriminals exploiting an unpatched vulnerability in the target organization’s own VPN server.
Step Two: Once they are in the system, Daixin actors can move throughout via Secure Shell (SSH) and Remote Desktop Protocol (RDP) with software based on Babuk Locker source code. According to the agencies in the advisory, the privileged accounts allowed the attackers to get into VMware vCenter Servers. Once they reset account passwords for ESXi servers, they deploy their ransomware.
Step Three: Once they are freely moving about the network, Daixin actors look for PII/PHI to exfiltrate. Data is exfiltrated before Step Four and used as additional leverage to collect ransom.
Step Four: Daixin actors then proceed to encrypt the system and the victim sees a note such as:
What differentiates healthcare cyberattacks?
For providers, their services are no longer safe to host personally identifiable information (PII) or personal health information (PHI) aspatients’ records are at the mercy of the Daixin Team. Hospitals are already vulnerable locations, as their clientele are patients who may need critical care.
Given the volume of sensitive data they store, the number of connected devices they utilize, and the possibility that a disruption in crucial treatment could force organizations to pay the ransom. Also PHI fetches very good prices on the dark web and Daixin actors are motivated by this additional revenue stream as well. For these reasonshealthcare data and their facilities have grown to be a popular public sector target of ransomware and extortion operators.
If it has already happened to your organization, it is not your fault, and you are in the right place to protect your organization moving forward. Let’s discuss preventing these dire consequences and keeping your patients’ care going throughout a Daixin Team attempt.
What does the US healthcare system suggest regarding data protection and cybersecurity?
Some of the suggestions for how to keep healthcare data secure, according to the warning advisory, include:
- Keeping operating systems, software, and firmware updated
- Securing and monitoring RDP
- Requiring MFA as much as possible
- Implementing network segmentation
- Turning off SSH are all ways suggested by the three advisory agencies to keep healthcare data secure.
- The advisory also suggested ensuring that healthcare organizations must secure PHI as required by HIPAA to prevent the initial introduction of bad actors into the system. HIPAA data is typically required to be secured via encryption.
- Traditionally, encryption of healthcare data was only available while data was at rest i.e. not being actively utilized. This meant that when bad actors such as Daixin attackers successfully broke in, they could easily decrypt it using stolen credentials. However, now there are other solutions offering encryption-in-use, that can ensure that even if attackers have access to admin credentials, they cannot get to PII and PHI in unencrypted form. These systems promote immunity to the attacks to further protect organizations.
Ransomware prevention: How can I further prevent my organization from Daixin Team Ransomware?
Titaniam solutions support all sectors including Healthcare and other sensitive verticals. with their data security. Using Titaniam, organizations can secure existing systems against data exfiltration and extortion, as well as build new ransomware-proof products from scratch.
The following is a list of Titaniam’s offering:
Titaniam FileShare Security: Titaniam provides always-on encryption for file servers and other file-sharing platforms. Titaniam ensures that all files are always secured with NIST FIPS 140-2 validated strong encryption and unencrypted data is not available directly from the file share regardless of privilege. Since data is encrypted before it lands, ransomware actors cannot access unencrypted data even if they are inside the firewall and moving laterally without restriction. The data release is strongly governed via policy, can be released in a number of private formats, can be rate limited, and can be plugged into other access controls as required.
Titaniam Vault: Titaniam Vault is a stand-alone data vault that can store and analyze structured and unstructured data, all while retaining strong NIST FIPS140-2 encryption without decrypting data at any time, including in memory or under the hood. With backup in place and strong encryption-in-use, Titaniam Vault is immune to cyberattacks, including ransomware. The Titaniam Vault also wins against traditional tokenization solutions by providing all the capabilities of tokenization with the added benefit of rich data usability. If used for tokenization, the Titaniam Vault can secure any type of existing datastore or existing applications and also build ground-up systems that are natively immune to data compromise. Data can be released from the Vault in nine different privacy-preserving formats so that downstream systems are also protected from ransomware attacks and insider threats.
Titaniam Plugin: Titaniam Plugin protects sensitive data inside major enterprise search platforms without limiting full-featured search capabilities or deprecating search performance. Titaniam Plugin is available for all versions of Elasticsearch, OpenDistro, and OpenSearch on AWS/Azure. The Titaniam plugin can be up and running on enormous big-data clusters within hours. Data inside the Titaniam-protected platforms cannot be exfiltrated in clear text, even if the cluster is compromised during a ransomware attack, insider attack, or left exposed by accident.
Titaniam API/Translation service: Titaniam’s API service can stand alone or integrate with any of the other Titaniam products to yield a high-performing data translation service. The Titaniam Translation Service can be used independently to make existing applications resistant to ransomware and other data-related cyberattacks. It can also ensure that protected data leaving other Titaniam products can be easily translated into clear text or other private formats by downstream applications. From the nine secure and private formats (including searchable encryption) and types of data, including keywords, text, numbers, dates, IP Addresses, Binary and PII-specific data types, the Titaniam API enables other Titaniam-protected systems to be completely locked down, aligned with the Zero Trust Data security standard.
Titaniam Studio: Finally, the Studio provides an interface for managing other Titaniam products. It provides dashboards, reports, and granular compliance certifications in the event of a successful attack. Uniquely, the Titaniam Studio gives CISOs critical post-attack documentation as they can use Titaniam Studio reports as auditable evidence that their data retained encryption throughout the attack.
Highlights of the product’s capabilities include:
- Protection from the most common and highly damaging types of ransomware attacks involving data exfiltration. These include large-scale unstructured and structured data exfiltration using privileged credentials.
- Strong security benefits without performance penalty. Titaniam’s data ingest overhead is under 5% when compared to clear text and Titaniam runs search with 0% overhead. Depending on the volume of data, the storage overheads are typically 15%. Titaniam’s closest comparable solutions, suffer from exceedingly large compute (500% overhead) and storage (10,000% overhead) requirements.
- Titaniam’s ability to release data in an application-friendly manner minimizes the need for application changes.
- Titaniam has been built to perform at an enormous data scale without loss of performance, handling petabytes of data and millions of keys with ease.
- Titaniam provides post-attack support for those who suffer a cyber attack. Uniquely, in the event of an attack, the software provides a report with visibility into any data that was observed, accessed, or exfiltrated. This offers auditable evidence that the data retained encryption. This helps avoid ransom payouts and also reduces liability, penalty, and notification obligations for regulated industries, private companies, and all who have a duty to their users to protect data.
To see a demonstration of how these products work, click here.