Daixin Team

Daixin Team is a financially motivated ransomware gang in operation since June 2022 that has posed a severe threat to the US Healthcare and Public Health (HPH) sector. Although Daixin Team does not exclusively target the HPH sector, it has acutely impacted health service organizations in the US, stealing electronic health records, personally identifiable information (PII), and patient health information (PHI) and compromising diagnostics, imaging, and intranet services. 

In a notable late 2022 breach, Daixin Team successfully exploited AirAsia Group, Malaysia’s largest airline, leaking the PII of over 5 million unique passengers and employee records. In February 2023, Daixin breached the multibillion-dollar conglomerate B&G Foods. Neither AirAsia nor B&G Foods negotiated with the threat actor, leading to the release of stolen internal documents and customer data on Daixin’s leak site. 

Daixin Team punish their victims with a double extortion tactic, compromising file integrity (rendering it unusable) and threatening the public release of stolen data. Daixin is also known to encrypt critical network resources, including virtual machines, rendering them unavailable in addition to encrypting sensitive documents and databases.

Daixin Team typically gains initial access to target networks via unsecured virtual private network (VPN) servers by exploiting unpatched vulnerabilities, misconfigurations, and stolen credentials. In some instances, Daixin has used phishing campaigns to obtain VPN credentials from its victims.

Once inside a victim’s network, Daxin Team conducts second-stage reconnaissance to extract internal network credentials from the infected system and use them to move laterally, primarily via SSH and Remote Desktop Protocol (RDP). For data exfiltration, Daixin uses the cloud storage management software Rclone and reverse proxy application Ngrok to send sensitive data to virtual private servers outside the victim’s network.

Daixin Team’s encryption module is based on the Babuk Locker ransomware strain and uses different schemes for small and large files. Small files are encrypted twice with the ChaCha8 algorithm, while larger files are separated into three files with only the first 10 MB of each section encrypted. Daixin team attacks will reset ESXi server admin passwords and deploy ransomware on those servers, encrypting files in /vmfs/volumes/ with .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn extensions, leaving a ransom note in /vmfs/volumes/.

• Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOPs) for handling suspicious emails and documents
• Ensure that updates and security patches are applied across the entire IT environment, including security products, operating systems, and applications
• Employ public key infrastructure and enforce the use of multi-factor authentication to harden authentication and authorization for all critical assets and services
• Implement modern Identity and Access Management tools 
• Use network security appliances such as IDS and next-gen firewalls and further harden a network and segment critical systems to a separate VLAN / Windows domain
• Install and configure advanced endpoint security products on all endpoints to detect IOCs and take defensive action to block Daixin payloads from executing
• Harden security and monitor any remote access services such as Remote Desktop Protocol
• Use the principle of least privilege when architecting networks to avoid adding users to the local administrator group unless required
• Secure all PII and PHI according to the applicable regulations and target compliance requirements
• Maintain a solid backup strategy that includes offline, encrypted, and immutable backups of critical data
• Disable Server Message Block (SMB) Protocol whenever possible and update any outdated versions of SMB
• Maintain offline (air-gapped) backups of data and regularly test backup integrity and restoration procedures to meet target RPO and RTO