The Cybersecurity and Infrastructure Security Agency is warning administrators about a new ransomware outbreak amongst healthcare providers.
A CISA advisory issued Friday outlined how a new ransomware crew known as Daixin Team has been infecting and extorting healthcare and public health (HPH) providers.
"The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022," CISA warned.
"Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations."
CISA credited both the FBI and CrowdStrike in reporting the attacks.
According to CISA, the Daixin Team hackers have been specifically targeting HPH companies to access patient records and data. The group has taken a particular interest in accessing database, imaging and diagnostics systems within networks.
CISA noted that the group's entry methods may vary. In at least one case, the access point was a phishing email that resulted in the theft of VPN account credentials that did not have two-factor authentication enabled. The Daixin Team threat actors were then accessed the organization's legacy VPN server, CISA said.
Once inside victims' networks, the hackers used a modified version of the Babuk Locker ransomware believed to be derived from leaked source code. The ransomware specifically targets ESXi servers for data encryption.
The victim is served a note with instructions on how to access TOR site to contact the ransomware operators and pay the ransom demand. Infected users are given a five-day deadline.
While ransom payment demands are nothing new in ransomware, in this case, the cybercriminals could have additional leverage on healthcare victims. The release of medical information could not only be disastrous from a business perspective but also violate both state and federal government laws on privacy and security regulations of medical records.
The warning over Daixin comes as many experts are expecting to see a rise in little-known or new ransomware groups filling the void caused by earlier shutdowns or busts of prominent groups.