{
	"id": "6d62e63f-7050-472a-bfd3-d0fd7b6f70d2",
	"created_at": "2026-04-06T00:14:29.385847Z",
	"updated_at": "2026-04-10T03:24:29.633164Z",
	"deleted_at": null,
	"sha1_hash": "04ecfaec730c3be623cdc89466087e67b5c6cedf",
	"title": "Daixin Team Ransomware Group Protection | Portal26",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1508437,
	"plain_text": "Daixin Team Ransomware Group Protection | Portal26\r\nBy lsdigitalmarketing\r\nPublished: 2022-11-28 · Archived: 2026-04-05 15:31:23 UTC\r\nHow to protect against the Daixin Team Ransomware Group\r\nRansomware attacks are common and becoming more creative. However, as attackers evolve, so do their\r\ndecisions of targets and methodology.  As of October 2022, the FBI’s Internet Crime Complaint Center (IC3)\r\nholds victim reports across all 16 critical infrastructures, but the healthcare and public health sector made up 25%\r\nof ransomware complaints.\r\nThis year, the Daxin Team Ransomware Group has caused chaos for healthcare data security teams. If you are\r\nlooking to research the Daixin Team ransomware attacks on the healthcare sector, investigate solutions that can be\r\nput in place to minimize these attacks from happening again, or learn more about how to prevent their encryption-based attack, look no further!\r\nWhat is the Daixin Team?\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and HHS\r\n(Department of Health \u0026 Human Services) has warned in a cybersecurity advisory that “The Daixin Team\r\nransomware and data extortion group is an active threat to the healthcare sector.” Since June 2022, the group has\r\nbeen targeting businesses and primary healthcare organizations. What makes them so dangerous to healthcare\r\norganizations is that they have deployed ransomware to encrypt the essential servers of healthcare professionals.\r\nhttps://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/\r\nPage 1 of 7\n\nHow do they work? \r\nThe Daixin Team is not unique in the way that when they target a hospital, it is to steal this sensitive information.\r\nThey complete this task by encrypting the servers responsible for running the place. Another goal these healthcare\r\ncyber attackers may have is to exfiltrate PII and patient health information (PHI), then threaten to release the data\r\nif the organization refuses to pay the demanded amount of ransom.\r\nWhile healthcare data has become a target for ransomware, Daixin Team’s technical approach and note at the end\r\nleaves you with no mystery in wondering who has your PHI. Here’s their methodology.\r\nStep One: Daixin Team actors will use a virtual private network (VPN) server to gain access to their target’s\r\nsystems. This exact infiltration method has ranged from getting credentials through phishing emails and then\r\ngetting in through a lack of Multi-Factor Authentication (MFA) or cybercriminals exploiting an unpatched\r\nvulnerability in the target organization’s own VPN server.\r\nStep Two: Once they are in the system, Daixin actors can move throughout via Secure Shell (SSH) and Remote\r\nDesktop Protocol (RDP) with software based on Babuk Locker source code. According to the agencies in the\r\nadvisory, the privileged accounts allowed the attackers to get into VMware vCenter Servers. Once they reset\r\naccount passwords for ESXi servers, they deploy their ransomware.\r\nStep Three: Once they are freely moving about the network, Daixin actors look for PII/PHI to exfiltrate. Data is\r\nexfiltrated before Step Four and used as additional leverage to collect ransom.\r\nStep Four: Daixin actors then proceed to encrypt the system and the victim sees a note such as:\r\nhttps://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/\r\nPage 2 of 7\n\nWhat differentiates healthcare cyberattacks?\r\nFor providers, their services are no longer safe to host personally identifiable information (PII) or personal health\r\ninformation (PHI)  aspatients’ records are at the mercy of the Daixin Team. Hospitals are already vulnerable\r\nlocations, as their clientele are patients who may need critical care.\r\nGiven the volume of sensitive data they store, the number of connected devices they utilize, and the possibility\r\nthat a disruption in crucial treatment could force organizations to pay the ransom. Also PHI fetches very good\r\nprices on the dark web and Daixin actors are motivated by this additional revenue stream as well. For these\r\nreasonshealthcare data and their facilities have grown to be a popular public sector target of ransomware and\r\nextortion operators.\r\nIf it has already happened to your organization, it is not your fault, and you are in the right place to protect your\r\norganization moving forward. Let’s discuss preventing these dire consequences and keeping your patients’ care\r\ngoing throughout a Daixin Team attempt.\r\nWhat does the US healthcare system suggest regarding data protection and\r\ncybersecurity?\r\nSome of the suggestions for how to keep healthcare data secure, according to the warning advisory, include:\r\nKeeping operating systems, software, and firmware updated\r\nSecuring and monitoring RDP\r\nRequiring MFA as much as possible\r\nImplementing network segmentation\r\nTurning off SSH are all ways suggested by the three advisory agencies to keep healthcare data secure.\r\nThe advisory also suggested ensuring that healthcare organizations must secure PHI as required by HIPAA\r\nto prevent the initial introduction of bad actors into the system. HIPAA data is typically required to be\r\nsecured via encryption.\r\nTraditionally, encryption of healthcare data was only available while data was at rest i.e. not being actively\r\nutilized. This meant that when bad actors such as Daixin attackers successfully broke in, they could easily\r\ndecrypt it using stolen credentials. However, now there are other solutions offering encryption-in-use, that\r\ncan ensure that even if attackers have access to admin credentials, they cannot get to PII and PHI in\r\nunencrypted form. These systems promote immunity to the attacks to further protect organizations.\r\nRansomware prevention: How can I further prevent my organization from Daixin\r\nTeam Ransomware?\r\nPortal26 solutions support all sectors including Healthcare and other sensitive verticals. with their data security.\r\n Using Portal26, organizations can secure existing systems against data exfiltration and extortion, as well as build\r\nnew ransomware-proof products from scratch.\r\nHow Portal26 Works for Ransomware Defense\r\nhttps://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/\r\nPage 3 of 7\n\nWhen a data store is protected using Portal26, the primary attack path being defended is the admin attack vector.\r\nThe idea is to not interfere at all with end user activities and business flows but to ensure that if attackers get\r\nadmin privileges and manage to get to large volumes of data, they should not be able to leave with it in clear text.\r\nWithout a sizable amount of stolen data as leverage, attackers would be unable to use it as leverage for ransom\r\ndemands.\r\n1. Portal26 is deployed on a fileshare via agent or in front of it via proxy. For object stores, Portal26 is\r\ndeployed as a proxy. For Enterprise search platforms, as a plugin, and for structured databases, Portal26\r\nenables sensitive data to be substituted with either format preserving tokens or other privacy preserving\r\nformats.\r\n2. Sensitive data in Portal26 protected systems is  encrypted using NIST FIPS 140-2 certified encryption,\r\nwithout loss in functionality. Search is preserved in search platforms and for databased using tokens, full\r\nquerying is supported in a companion vault.\r\n3. When Portal26 encrypts files the encryption includes the data itself as well as names of files and folders as\r\nwell. This makes it challenging for bad actors to traverse these repositories to pick and choose the data they\r\nwant to take. \r\n4. For data in search platforms, Portal26 encrypts both the source data as well as the reverse index.\r\n5. When attackers break in and try to steal large volumes of data from file servers, object stores, databases\r\nand search platforms, they cannot access the data in unencrypted form even if they get to it using admin\r\ncredentials. Even sensitive data in memory retains encryption.\r\nBy eliminating large scale data exfiltration and limiting clear text data to what individual users need at the time,\r\nPortal26 dramatically reduces the blast radius from ransomware and extortion based attacks.\r\nFind out more about ransomware defense by exploring our top 3 ransomware defense strategies and mistakes to\r\navoid.\r\nhttps://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/\r\nPage 4 of 7\n\nThe following is a list of Portal26’s offering: \r\nPortal26 FileShare Security: Portal26 provides always-on encryption for file servers and other file-sharing\r\nplatforms. Portal26 ensures that all files are always secured with NIST FIPS 140-2 validated strong encryption\r\nand unencrypted data is not available directly from the file share regardless of privilege. Since data is encrypted\r\nbefore it lands, ransomware actors cannot access unencrypted data even if they are inside the firewall and moving\r\nlaterally without restriction. The data release is strongly governed via policy, can be released in a number of\r\nprivate formats, can be rate limited, and can be plugged into other access controls as required.\r\nPortal26 Object Store Proxy: Portal26 Proxy provides transparent application-level NIST FIPS 140-2 validated\r\nencryption for cloud object stores. Whereas native cloud platform encryption secures data from compromise on\r\nthe cloud provider, encrypting with Portal26 ensures ransomware protection and complete data security if the\r\nenterprise themselves are victims of an attack. Portal26 supports privacy-enabled data release in nine secure and\r\nprivate formats as well as full-featured searches on encrypted data. The Portal26 Proxy bolts onto the non-extensible legacy, or fragile, systems and transparently directs sensitive data in and out according to security or\r\nprivacy policy. Portal26 Proxy is available for both AWS and Azure environments.\r\nPortal26 Vault: Portal26 Vault is a stand-alone data vault that can store and analyze structured and unstructured\r\ndata, all while retaining strong NIST FIPS140-2 encryption without decrypting data at any time, including in\r\nmemory or under the hood. With backup in place and strong encryption-in-use, Portal26 Vault is immune to\r\ncyberattacks, including ransomware. The Portal26 Vault also wins against traditional tokenization solutions by\r\nproviding all the capabilities of tokenization with the added benefit of rich data usability. If used for tokenization,\r\nthe Portal26 Vault can secure any type of existing datastore or existing applications and also build ground-up\r\nsystems that are natively immune to data compromise. Data can be released from the Vault in nine different\r\nhttps://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/\r\nPage 5 of 7\n\nprivacy-preserving formats so that downstream systems are also protected from ransomware attacks and insider\r\nthreats.\r\nPortal26 Plugin: Portal26 Plugin protects sensitive data inside major enterprise search platforms without limiting\r\nfull-featured search capabilities or deprecating search performance. Portal26 Plugin is available for all versions of\r\nElasticsearch, OpenDistro, and OpenSearch on AWS/Azure. The Portal26 plugin can be up and running on\r\nenormous big-data clusters within hours. Data inside the Portal26-protected platforms cannot be exfiltrated in\r\nclear text, even if the cluster is compromised during a ransomware attack, insider attack, or left exposed by\r\naccident.\r\nPortal26 API/Translation service: Portal26’s API service can stand alone or integrate with any of the other\r\nPortal26 products to yield a high-performing data translation service. The Portal26 Translation Service can be\r\nused independently to make existing applications resistant to ransomware and other data-related cyberattacks. It\r\ncan also ensure that protected data leaving other Portal26 products can be easily translated into clear text or other\r\nprivate formats by downstream applications. From the nine secure and private formats (including searchable\r\nencryption) and types of data, including keywords, text, numbers, dates, IP Addresses, Binary and PII-specific\r\ndata types, the Portal26 API enables other Portal26-protected systems to be completely locked down, aligned with\r\nthe Zero Trust Data security standard.\r\nPortal26 Studio: Finally, the Studio provides an interface for managing other Portal26 products. It provides\r\ndashboards, reports, and granular compliance certifications in the event of a successful attack. Uniquely, the\r\nPortal26 Studio gives CISOs critical post-attack documentation as they can use Portal26 Studio reports as\r\nauditable evidence that their data retained encryption throughout the attack.\r\nHighlights of the product’s capabilities include:\r\nProtection from the most common and highly damaging types of ransomware attacks involving data\r\nexfiltration. These include large-scale unstructured and structured data exfiltration using privileged\r\ncredentials.\r\nStrong security benefits without performance penalty. Portal26’s data ingest overhead is under 5% when\r\ncompared to clear text and Portal26 runs search with 0% overhead. Depending on the volume of data, the\r\nstorage overheads are typically 15%. Portal26’s closest comparable solutions, suffer from exceedingly\r\nlarge compute (500% overhead) and storage (10,000% overhead) requirements.\r\nPortal26’s ability to release data in an application-friendly manner minimizes the need for application\r\nchanges.\r\nPortal26 has been built to perform at an enormous data scale without loss of performance, handling\r\npetabytes of data and millions of keys with ease.\r\nPortal26 provides post-attack support for those who suffer a cyber attack. Uniquely, in the event of an\r\nattack, the software provides a report with visibility into any data that was observed, accessed, or\r\nexfiltrated. This offers auditable evidence that the data retained encryption. This helps avoid ransom\r\npayouts and also reduces liability, penalty, and notification obligations for regulated industries, private\r\ncompanies, and all who have a duty to their users to protect data.\r\nLooking To Protect Yourself Against The Daixin Team Ransomware Group?\r\nhttps://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/\r\nPage 6 of 7\n\nPortal26 can help!\r\nUntil Portal26 the typical ransomware defense strategy involved prevention/detection technologies on the\r\nendpoint (EDR/XDR) to identify and stop ransomware attacks as well as back up/recovery solutions to recover\r\nsystems without being forced to pay the ransom. Both these approaches do not account for stolen data, and time\r\nafter time, victims were forced to pay the ransom because their defense plan did not account for the leverage\r\nattackers gained by stealing data.\r\nPortal26 addresses this problem. Portal26 prevents the loss of unencrypted data thereby eliminating\r\nattacker leverage from data exfiltration. This closes a critical gap in ransomware defense today.\r\nPortal26 Provides a Crucial Element for Ransomware Defense\r\nTo see a demonstration of how these products work, click to schedule a demo today.\r\nSchedule a Demo \u003e\r\nSource: https://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/\r\nhttps://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/"
	],
	"report_names": [
		"ransomware-prevention-daixin-team-ransomware-group"
	],
	"threat_actors": [
		{
			"id": "86ab2e9a-75b1-48af-8313-0a5ec1f7d12c",
			"created_at": "2023-12-03T02:00:05.154685Z",
			"updated_at": "2026-04-10T02:00:03.488062Z",
			"deleted_at": null,
			"main_name": "Daixin Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Daixin Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04ecfaec730c3be623cdc89466087e67b5c6cedf.pdf",
		"text": "https://archive.orkl.eu/04ecfaec730c3be623cdc89466087e67b5c6cedf.txt",
		"img": "https://archive.orkl.eu/04ecfaec730c3be623cdc89466087e67b5c6cedf.jpg"
	}
}