Daixin Team Targets Healthcare Organizations with Ransomware Attacks

Keep up to date with latest blog posts

On October 21, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Daixin Team [1] with The Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS). 

Daixin Team disrupts operations of Healthcare and Public Health (HPH) organizations with ransomware and steals personal identifiable information (PII) and patient health information (PHI). Then, the cyber threat group threatens to release the stolen information unless the ransom is paid. 

In this blog post, we explained tactics, techniques, and procedures used by Daixin Team.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Daixin Team

Daixin Team is a financially motivated ransomware and data extortion group that emerged in June 2022. The threat group mainly targets Healthcare and Public Health (HPH) organizations in the US. 

The first known victim of the Daixin Team was Fitzgibbon Hospital in Marshall, Missouri. The cyber threat group claims to have encrypted servers and backups and stolen 40 GB of sensitive data, including patient and employee records. According to Daixin Team's spokesperson, the hospital did not pay the demanded ransom, and in response, the threat group leaked the stolen data to the public [2].

Daixin Team targeted another healthcare organization on September 1, 2022. OakBend Medical Center, located in Richmond, Texas, was hit by ransomware and data exfiltration attacks. Daixin Team claimed to steal nearly 3.5 GB of sensitive information. The sample of stolen data indicates that the PII data belonging to patients can be viewed in plaintext, including their names, addresses, and Social Security Numbers.

Daixin Team's spokesperson claims that the cyber threat group's motivation is financial. The spokesperson claimed that they had also attacked Russian and Commonwealth of Independent States (CIS) targets, but the victims did not care about the data leak and did not pay the ransom.

Figure 1: Ransom note after Daixin Team ransomware attack infection [1]

TTPs Used by Daixin Team

Daixin Team uses the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:

Tactic: Initial Access

  • T1078 Valid Accounts

    Daixin Team gains initial access to their target's network using compromised credentials. In a confirmed cyber attack, Daixin Team used compromised credentials to access a VPN service that did not have multifactor authentication enabled.

  • T1190 Exploit Public Facing Application

Daixin threat actors abuse unpatched vulnerabilities in public-facing services such as VPN services to gain access to their target's network.

Tactic: Persistence

  • T1098 Account Manipulation

Daixin Team establishes persistence by resetting account passwords for VMware ESXi servers using privileged accounts. 

Tactic: Credential Access

  • T1003 OS Credential Dumping

Daixin threat actors gain access to privileged accounts using the OS credential dumping technique.

Tactic: Lateral Movement

  • T1563.001 Remote Service Session Hijacking: SSH Hijacking

Daixin Team uses compromised and harvested credentials to move laterally in the victim's network using Secure Shell (SSH).

  • T1563.002 Remote Service Session Hijacking: RDP Hijacking

Daixin threat actors use compromised and harvested credentials to move laterally in the victim's network using Remote Desktop Protocol (RDP).

  • T1550.002 Use Alternate Authentication Material: Pass the Hash

Some services, such as SMB, can use password hashes for authentication in addition to the password itself. Daixin Team abuses this feature and uses password hashes to move laterally in the victim's network.

Tactic: Exfiltration

  • T1567 Exfiltration Over Web Service

Daixin threat actors use Rclone to exfiltrate data to a virtual private server (VPS) that they control. Also, Daixin uses Ngrok to create a secure tunnel for data exfiltration.

Tactic: Impact

  • T1486 Data Encrypted for Impact

Daixin Team encrypts their victims' files and directories using ransomware that is based on leaked Babuk Locker.

  • T1490 Inhibit System Recovery

Daixin threat actors delete their victims' backups so that they cannot recover encrypted data.


[1] "#StopRansomware: Daixin Team." [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-294a. [Accessed: Oct. 24, 2022]

[2] "MO: Fitzgibbon Hospital hit by ransomware, sensitive data leaked." [Online]. Available: https://www.databreaches.net/mo-fitzgibbon-hospital-hit-by-ransomware-sensitive-data-leaked/. [Accessed: Oct. 24, 2022]


Keep up to date with latest blog posts