#StopRansomware: Daixin Team | CISA


Actions to take at the moment to mitigate cyber threats from ransomware:

• Install updates for working methods, software program, and firmware as quickly as they’re launched.
• Require phishing-resistant MFA for as many companies as attainable.
• Train customers to acknowledge and report phishing makes an attempt.

Note: This joint Cybersecurity Advisory (CSA) is a part of an ongoing #CeaseRansomware effort to publish advisories for community defenders that element numerous ransomware variants and ransomware menace actors. These #StopRansomware advisories embrace not too long ago and traditionally noticed ways, methods, and procedures (TTPs) and indicators of compromise (IOCs) to assist organizations shield towards ransomware. Visit stopransomware.gov to see all #CeaseRansomware advisories and to be taught extra about different ransomware threats and no-cost assets.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to supply info on the “Daixin Team,” a cybercrime group that’s actively focusing on U.S. companies, predominantly within the Healthcare and Public Health (HPH) Sector, with ransomware and knowledge extortion operations.

This joint CSA gives TTPs and IOCs of Daixin actors obtained from FBI menace response actions and third-party reporting.

Download the PDF model of this report: pdf, 591 KB

Technical Details

Note: This advisory makes use of the MITRE ATT&CK® for Enterprise framework, model 11. See MITRE ATT&CK for Enterprise for all referenced ways and methods.

Cybercrime actors routinely goal HPH Sector organizations with ransomware:

  • As of October 2022, per FBI Internet Crime Complaint Center (IC3) knowledge, particularly sufferer stories throughout all 16 essential infrastructure sectors, the HPH Sector accounts for 25 p.c of ransomware complaints.
  • According to an IC3 annual report in 2021, 649 ransomware stories had been made throughout 14 essential infrastructure sectors; the HPH Sector accounted for essentially the most stories at 148.

The Daixin Team is a ransomware and knowledge extortion group that has focused the HPH Sector with ransomware and knowledge extortion operations since at the very least June 2022. Since then, Daixin Team cybercrime actors have induced ransomware incidents at a number of HPH Sector organizations the place they’ve:

  • Deployed ransomware to encrypt servers chargeable for healthcare companies—together with digital well being data companies, diagnostics companies, imaging companies, and intranet companies, and/or
  • Exfiltrated private identifiable info (PII) and affected person well being info (PHI) and threatened to launch the data if a ransom just isn’t paid.

Daixin actors acquire preliminary entry to victims by digital non-public community (VPN) servers. In one confirmed compromise, the actors probably exploited an unpatched vulnerability within the group’s VPN server [T1190]. In one other confirmed compromise, the actors used beforehand compromised credentials to entry a legacy VPN server [T1078] that didn’t have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials by using a phishing e-mail with a malicious attachment [T1598.002].

After acquiring entry to the sufferer’s VPN server, Daixin actors transfer laterally through Secure Shell (SSH) [T1563.001] and Remote Desktop Protocol (RDP) [T1563.002]. Daixin actors have sought to realize privileged account entry by credential dumping [T1003] and cross the hash [T1550.002]. The actors have leveraged privileged accounts to realize entry to VMware vCenter Server and reset account passwords [T1098] for ESXi servers within the atmosphere. The actors have then used SSH to hook up with accessible ESXi servers and deploy ransomware [T1486] on these servers. 

According to third-party reporting, the Daixin Team’s ransomware relies on leaked Babuk Locker supply code. This third-party reporting in addition to FBI evaluation present that the ransomware targets ESXi servers and encrypts recordsdata situated in /vmfs/volumes/ with the next extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom observe can also be written to /vmfs/volumes/. See Figure 1 for focused file system path and Figure 2 for focused file extensions listing. Figure 3 and Figure 4 embrace examples of ransom notes. Note that within the Figure 3 ransom observe, Daixin actors misspell “Daixin” as “Daxin.”

Figure 1: Daixin Team – Ransomware Targeted File Path

Figure 2: Daixin Team – Ransomware Targeted File Extensions

Figure 3: Example 1 of Daixin Team Ransomware Note

Figure 4: Example 2 of Daixin Team Ransomware Note

In addition to deploying ransomware, Daixin actors have exfiltrated knowledge [TA0010] from sufferer methods. In one confirmed compromise, the actors used Rclone—an open-source program to handle recordsdata on cloud storage—to exfiltrate knowledge to a devoted digital non-public server (VPS). In one other compromise, the actors used Ngrok—a reverse proxy instrument for proxying an inner service out onto an Ngrok area—for knowledge exfiltration [T1567].


See Table 1 for all referenced menace actor ways and methods included on this advisory.

Table 1: Daixin Actors’ ATT&CK Techniques for Enterprise


Technique Title



Phishing for Information: Spearphishing Attachment


Daixin actors have acquired the VPN credentials (later used for preliminary entry) by a phishing e-mail with a malicious attachment.

Initial Access

Technique Title



Exploit Public-Facing Application


Daixin actors exploited an unpatched vulnerability in a VPN server to realize preliminary entry to a community.

Valid Accounts


Daixin actors use beforehand compromised credentials to entry servers on the goal community.


Technique Title



Account Manipulation


Daixin actors have leveraged privileged accounts to reset account passwords for VMware ESXi servers within the compromised atmosphere.

Credential Access

Technique Title



OS Credential Dumping


Daixin actors have sought to realize privileged account entry by credential dumping.

Lateral Movement

Technique Title



Remote Service Session Hijacking: SSH Hijacking


Daixin actors use SSH and RDP to maneuver laterally throughout a community.

Remote Service Session Hijacking: RDP Hijacking


Daixin actors use RDP to maneuver laterally throughout a community.

Use Alternate Authentication Material: Pass the Hash


Daixin actors have sought to realize privileged account entry by cross the hash.


Technique Title



Exfiltration Over Web Service


Daixin Team members have used Ngrok for knowledge exfiltration over internet servers.


Technique Title



Data Encrypted for Impact


Daixin actors have encrypted knowledge heading in the right direction methods or on massive numbers of methods in a community to interrupt availability to system and community assets.


See Table 2 for IOCs obtained from third-party reporting.

Table 2: Daixin Team IOCs – Rclone Associated SHA256 Hashes














FBI, CISA, and HHS urge HPH Sector organizations to implement the next to guard towards Daixin and associated malicious exercise:

  • Install updates for working methods, software program, and firmware as quickly as they’re launched. Prioritize patching VPN servers, distant entry software program, digital machine software program, and known exploited vulnerabilities. Consider leveraging a centralized patch administration system to automate and expedite the method.
  • Require phishing-resistant MFA for as many companies as attainable—notably for webmail, VPNs, accounts that entry essential methods, and privileged accounts that handle backups.
  • If you employ Remote Desktop Protocol (RDP), safe and monitor it.
    • Limit entry to assets over inner networks, particularly by proscribing RDP and utilizing digital desktop infrastructure. After assessing dangers, if RDP is deemed operationally vital, limit the originating sources, and require multifactor authentication (MFA) to mitigate credential theft and reuse. If RDP have to be obtainable externally, use a digital non-public community (VPN), digital desktop infrastructure, or different means to authenticate and safe the connection earlier than permitting RDP to hook up with inner units. Monitor distant entry/RDP logs, implement account lockouts after a specified variety of makes an attempt to dam brute pressure campaigns, log RDP login makes an attempt, and disable unused distant entry/RDP ports.
    • Ensure units are correctly configured and that security measures are enabled. Disable ports and protocols that aren’t getting used for enterprise functions (e.g., RDP Transmission Control Protocol Port 3389).
  • Turn off SSH and different community machine administration interfaces equivalent to Telnet, Winbox, and HTTP for broad space networks (WANs) and safe with sturdy passwords and encryption when enabled.
  • Implement and implement multi-layer community segmentation with essentially the most essential communications and knowledge resting on essentially the most safe and dependable layer.
  • Limit entry to knowledge by deploying public key infrastructure and digital certificates to authenticate connections with the community, Internet of Things (IoT) medical units, and the digital well being report system, in addition to to make sure knowledge packages usually are not manipulated whereas in transit from man-in-the-middle assaults.
  • Use normal person accounts on inner methods as a substitute of administrative accounts, which permit for overarching administrative system privileges and don’t guarantee least privilege.
  • Secure PII/PHI at assortment factors and encrypt the info at relaxation and in transit through the use of applied sciences equivalent to Transport Layer Security (TPS). Only retailer private affected person knowledge on inner methods which can be protected by firewalls, and guarantee intensive backups can be found if knowledge is ever compromised.
  • Protect saved knowledge by masking the everlasting account quantity (PAN) when it’s displayed and rendering it unreadable when it’s saved—by cryptography, for instance.
  • Secure the gathering, storage, and processing practices for PII and PHI, per rules such because the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA safety measures can stop the introduction of malware on the system.
  • Use monitoring instruments to watch whether or not IoT units are behaving erratically resulting from a compromise.
  • Create and commonly assessment inner insurance policies that regulate the gathering, storage, entry, and monitoring of PII/PHI.
  • In addition, the FBI, CISA, and HHS urge all organizations, together with HPH Sector organizations, to use the next suggestions to arrange for, mitigate/stop, and reply to ransomware incidents.

Preparing for Ransomware

  • Maintain offline (i.e., bodily disconnected) backups of knowledge, and commonly check backup and restoration. These practices safeguard a corporation’s continuity of operations or at the very least decrease potential downtime from a ransomware incident and shield towards knowledge losses.
    • Ensure all backup knowledge is encrypted, immutable (i.e., can’t be altered or deleted), and covers the whole group’s knowledge infrastructure.
  • Create, keep, and train a primary cyber incident response plan and related communications plan that features response procedures for a ransomware incident.
    • Organizations must also guarantee their incident response and communications plans embrace response and notification procedures for knowledge breach incidents. Ensure the notification procedures adhere to relevant state legal guidelines.
      • Refer to relevant state knowledge breach legal guidelines and seek the advice of authorized counsel when vital.
      • For breaches involving digital well being info, you might must notify the Federal Trade Commission (FTC) or the Department of Health and Human Services, and—in some instances—the media. Refer to the FTC’s Health Breach Notification Rule and U.S. Department of Health and Human Services’ Breach Notification Rule for extra info.
    • See CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and CISA Fact Sheet, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches, for info on making a ransomware response guidelines and planning and responding to ransomware-caused knowledge breaches.

Mitigating and Preventing Ransomware

  • Restrict Server Message Block (SMB) Protocol throughout the community to solely entry servers which can be vital and take away or disable outdated variations of SMB (i.e., SMB model 1). Threat actors use SMB to propagate malware throughout organizations.
  • Review the safety posture of third-party distributors and people interconnected along with your group. Ensure all connections between third-party distributors and out of doors software program or {hardware} are monitored and reviewed for suspicious exercise.
  • Implement itemizing insurance policies for purposes and distant entry that solely permit methods to execute identified and permitted packages.
  • Open doc readers in protected viewing modes to assist stop energetic content material from operating.
  • Implement person coaching program and phishing workout routines to boost consciousness amongst customers in regards to the dangers of visiting suspicious web sites, clicking on suspicious hyperlinks, and opening suspicious attachments. Reinforce the suitable person response to phishing and spearphishing emails.
  • Use sturdy passwords and keep away from reusing passwords for a number of accounts. See CISA Tip Choosing and Protecting Passwords and the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-63B: Digital Identity Guidelines for extra info.
  • Require administrator credentials to put in software program.
  • Audit person accounts with administrative or elevated privileges and configure entry controls with least privilege in thoughts.
  • Install and commonly replace antivirus and antimalware software program on all hosts.
  • Only use safe networks and keep away from utilizing public Wi-Fi networks. Consider putting in and utilizing a VPN.
  • Consider including an e-mail banner to messages coming from exterior your organizations.
  • Disable hyperlinks in obtained emails.

Responding to Ransomware Incidents

If a ransomware incident happens at your group:

  • Follow your group’s Ransomware Response Checklist (see Preparing for Ransomware part).
  • Scan backups. If attainable, scan backup knowledge with an antivirus program to examine that it is freed from malware. This must be carried out utilizing an remoted, trusted system to keep away from exposing backups to potential compromise.
  • Follow the notification necessities as outlined in your cyber incident response plan.
  • Report incidents to the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
  • Apply incident response greatest practices discovered within the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Note: FBI, CISA, and HHS strongly discourage paying ransoms as doing so doesn’t assure recordsdata and data will likely be recovered. Furthermore, fee might also embolden adversaries to focus on further organizations, encourage different legal actors to interact within the distribution of ransomware, and/or fund illicit actions.


  • Stopransomware.gov is a whole-of-government strategy that provides one central location for ransomware assets and alerts.
  • Resource to mitigate a ransomware assault: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
  • No-cost cyber hygiene companies: Cyber Hygiene Services and Ransomware Readiness Assessment.
  • Ongoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center (HC3) and may be discovered at hhs.gov/HC3
  • For further greatest practices for Healthcare cybersecurity points see the HHS 405(d) Aligning Health Care Industry Security Approaches at 405d.hhs.gov 


The FBI is in search of any info that may be shared, to incorporate boundary logs exhibiting communication to and from overseas IP addresses, a pattern ransom observe, communications with Daixin Group actors, Bitcoin pockets info, decryptor recordsdata, and/or a benign pattern of an encrypted file. Regardless of whether or not you or your group have determined to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at cisa.gov/report.


FBI, CISA, and HHS want to thank CrowdStrike and the Health Information Sharing and Analysis Center (Health-ISAC) for his or her contributions to this CSA.


The info on this report is being offered “as is” for informational functions solely. FBI, CISA, and HHS don’t endorse any business services or products, together with any topics of study. Any reference to particular business merchandise, processes, or companies by service mark, trademark, producer, or in any other case, doesn’t represent or suggest endorsement, suggestion, or favoring by FBI, CISA, or HHS.


Initial Publication: October 21, 2022


Related Posts