DAIXINDaixin

Daixin Team is a ransomware and data extortion group active since at least June 2022, known for targeting the healthcare sector, including hospitals, clinics, and related service providers. The group employs a double-extortion model—exfiltrating sensitive data before encrypting systems—and has leaked protected health information (PHI) to pressure victims. Intrusions often involve exploiting VPN vulnerabilities (notably in Fortinet FortiOS) and using compromised credentials for initial access. The ransomware uses AES for file encryption with RSA to protect the keys, and ransom notes direct victims to a Tor-based portal. The U.S. CISA, FBI, and HHS have issued joint advisories warning of the group’s impact on healthcare delivery and patient safety