Daixin Ransomware
The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have:
- Deployed ransomware to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services, and/or
- Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.
Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment.
After obtaining access to the victim’s VPN server, Daixin actors move laterally via Secure Shell (SSH) and Remote Desktop Protocol (RDP). Daixin actors have sought to gain privileged account access through credential dumping and pass the hash. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware on those servers.
According to third-party reporting, the Daixin Team’s ransomware is based on leaked Babuk Locker source code. This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/. See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list. Figure 3 and Figure 4 include examples of ransom notes. Note that in the Figure 3 ransom note, Daixin actors misspell “Daixin” as “Daxin.”
Further information – https://www.cisa.gov/uscert/ncas/alerts/aa22-294a
Daixin Team IOCs – Rclone Associated SHA256 Hashes
| File | SHA256 |
| rclone-v1.59.2-windows-amd64\git-log.txt | 9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238 |
| rclone-v1.59.2-windows-amd64\rclone.1 | 19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD |
| rclone-v1.59.2-windows-amd64\rclone.exe | 54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939 |
| rclone-v1.59.2-windows-amd64\README.html | EC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF |
| rclone-v1.59.2-windows-amd64\README.txt | 475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28 |
Blogger at www.systemtek.co.uk