Daixin Team’ Ransomware Gang Targeting Hospitals, Public Health Organizations

AHA Cybersecurity Advisory
October 24, 2022

Joint warning from FBI, CISA and HHS outlines tactics and technical details the health care sector should know to protect their life- and mission-critical infrastructure

A trio of federal agencies is warning of a new ransomware threat perpetuated by the “Daixin Team” cybercrime group that is targeting U.S. health care and public health organizations. In response to the observed threat, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Health and Human Services (HHS) issued a joint cybersecurity advisory with recent and historically observed tactics, techniques and procedures (TTPs), along with indicators of compromise (IOCs), to help organizations protect their life- and mission-critical infrastructure.

“This ransomware poses a current and serious threat to hospitals and health systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Not only does this gang encrypt data on site, it also exfiltrates personal identifiable information and patient health information and threatens to release the information if a ransom is not paid. Most concerning is that the deployed ransomware encrypts servers responsible for health care services, including electronic health records services, diagnostics services, imaging services, and other medical technology. This may cause a disruption and delay of urgent care delivery, risking patient safety.

“The joint agency report contains actionable IOCs, including malware signatures that should be loaded into network defense and intrusion detection systems. If there is any indication of this ransomware being present on hospitals’ or health systems’ networks, it is recommended that immediate steps be taken to contain, isolate and remediate. It is also strongly recommended that local FBI and CISA field offices be contacted immediately.”

WHAT YOU CAN DO

  • Share this AHA Cybersecurity Advisory with your organization’s IT and cyber infrastructure teams.
     
  • Hospitals and health systems should review the above-identified alerts and bulletins for guidance on risk mitigation procedures, including increased network monitoring for unusual network traffic or activity, especially around active directories. Additionally, it is important to heighten staffs’ awareness of increased risk of receiving phishing emails.
     
  • Install updates for operating systems, software and firmware as soon as they are released.
     
  • If you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them closely. Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission Control Protocol Port 3389). Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB. Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity. Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established protocol. Open document readers in protected viewing modes to help prevent active content from running.
     
  • Implement user training programs and phishing awareness exercises that increase users’ understanding about the risks of visiting suspicious websites, clicking on suspicious links and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
     
  • Require MFA for as many services as possible, particularly for webmail, VPNs, accounts that access critical systems and privileged accounts that manage backups.
     
  • Use strong passwords and avoid reusing passwords for multiple accounts. See CISA’s Security Tip: Choosing and Protecting Passwords and National Institute of Standards and Technology (NIST) Special Publication 800-63B: Digital Identity Guidelines for more information.
     
  • Require administrator credentials to install software.
     
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
     
  • Install and regularly update antivirus and anti-malware software on all hosts.
     
  • Only use secure networks and avoid using public wi-fi networks. Consider installing and using a VPN.
     
  • Consider adding an email banner to messages coming from outside your organizations.
     
  • Disable hyperlinks in received emails.

FURTHER QUESTIONS

If you have further questions, please contact John Riggi, AHA’s national advisor for cybersecurity and risk, at jriggi@aha.org.