THREAT ACTOR: Daixin Team
Since June 2022, Daixin Team attackers have been linked to multiple health sector ransomware incidents where they've encrypted systems used for many healthcare services, including electronic health records storage, diagnostics, imaging services, and intranet services.
They're also known for stealing patient health information (PHI) and personal identifiable information (PII) and using it for double extortion to pressure victims into paying ransoms under the threat of releasing the stolen information online.
The ransomware gang gains access to targets' networks by exploiting known vulnerabilities in the organizations' VPN servers or with the help of compromised VPN credentials belonging to accounts with multi-factor authentication (MFA) toggled off. Once in, they use Remote Desktop Protocol (RDP) and Secure Shell (SSH) to move laterally through the victim's networks.