Ransomware gang focusing on healthcare sector, authorities say

Federal agencies say a cybercrime group known as the Diaxin Team has hit healthcare organizations with ransomware and stolen patient data.

Federal agencies are warning about a ransomware gang that has been targeting the healthcare sector in recent months.

Authorities issued an alert Oct. 21 about an organization known as the Diaxin Team, “a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector.”

The Daixin Team has targeted the healthcare sector with ransomware and data extortion operations since at least June 2022, according to a federal Joint Cybersecurity Advisory issued by the FBI, the Cybersecurity Infrastructure and Security Agency, and the Department of Health and Human Services. The gang has been implicated in “multiple” ransomware incidents in the healthcare sector, the advisory states.

Ransomware attacks on hospitals are increasing, industry officials and authorities say. In 2021, 649 ransomware reports were made across critical infrastructure sectors, with the healthcare sector accounting for the most reports with 148 incidents, or about a quarter of all reported, according to the FBI. Cybersecurity analysts say these organizations are targeting hospitals and health systems because they know many will pay the ransom.

Hospitals and health systems need to be aware of this cybercrime gang and closely review the alert from federal authorities, said John Riggi, the top cybersecurity adviser at the American Hospital Association. (Here’s the full warning from authorities.)

“This particularly urgent alert is directly relevant to ongoing ransomware threats currently targeting hospitals and health systems,” Riggi said in a statement.

“The report also contains actionable indicators of compromise, malware signatures that should be loaded into network defense and intrusion detection systems,” Riggi said. If there is any indication of this ransomware being present on hospital or health system networks, it is recommended that immediate steps be taken to contain, isolate and remediate. It is also strongly recommended that local FBI and CISA field offices be contacted immediately.”

The Daixin Team has deployed ransomware in health systems affecting electronic health records services, diagnostic services, imaging and intranet services, the federal alert states. The ransomware group has also stolen patient health information and other identifiable information and threatened to release it unless the ransom is paid.

Authorities say the Daixin gang gained access to victims through virtual private network (VPN) servers.

In one attack, the gang appears to have breached “an unpatched vulnerability” in the organization’s VPN server, authorities said. In another instance, the attackers used compromised credentials to access a VPN server that didn’t require multi-factor authentication. Authorities say the attackers obtained credentials by use of a phishing email with a malicious attachment.

Cybersecurity experts say ransomware attacks have been increasingly effective.

Troy Ament, Fortinet’s health care field chief information security officer, talked about the threat of ransomware attacks at the American Hospital Association Leadership Summit in July.

“The adversaries have been able to monetize the threats,” Ament said.

“In healthcare, they’ve been able to understand the operations of the environment, and shut the operations down,” he said.

Authorities advise health systems to take steps to reduce their risks by installing updates for operating systems and software when they are released. Hospitals and health systems should prioritize known vulnerabilities, patching VPN servers and remote access software, the advisory states.

Cybersecurity experts have said some health systems have been hit with repeated attacks to the same vulnerable areas that weren’t repaired after initial breaches.

Authorities also suggest health systems should contact their third-party vendors and others connected to their system to review their security. They also stress the importance of training staff to be mindful of phishing attempts and to avoid clicking on unfamiliar websites or unfamiliar links in emails.

To prepare for ransomware attacks, authorities say healthcare organizations should maintain offline backups of data and regularly test them for restoration. Backup data should be encrypted and should not be able to be altered, and should encompass the organization’s data infrastructure, authorities say.

Health systems also must prepare a response plan for ransomware incidents, including notification procedures for data breaches.

Health systems are urged to report ransomware incidents to a local FBI Field Office, or CISA.

This month, CommonSpirit Health reported a ransomware attack that has affected some of its systems and forced some patient appointments to be rescheduled. The system has said it’s cooperating with law enforcement and engaged cybersecurity experts. CHI Health and Virginia Mason Franciscan Health, both part of CommonSpirit, have said they are making progress in restoring systems.

Hundreds of breaches of health information have been reported this year already, affecting millions of Americans.

Cybersecurity attacks have proven to be very costly for hospitals and health systems. The average cyberattack costs $10.1 million, according to an IBM report released in July. Cyberattacks also pose significant risks to patient care if electronic health records are unavailable, and procedures have to be delayed.

Cybersecurity experts have advised hospitals to link efforts to improve security to patient safety. Riggi told Chief Healthcare Executive in April that workers should see disruptions in services and access to records can delay surgeries and cancer patients.

“Cyber hygiene is as important as medical hygiene to protect the patient,” Riggi said.