Ransomware – Don’t Be the Next Victim
It’s the perfect crime. Force someone into giving you their money and then vanish without a trace. Ransomware is on the rise again, but it’s not because deviant technology is getting better. In fact, FBI crackdowns, patches, antivirus & antimalware solutions have significantly hampered their proliferation. In the absence of large-scale technological vulnerabilities that can impact millions, “Lone wolf” criminals are now targeting smaller organizations at an alarming rate. They analyze their victims’ computer systems looking for vulnerabilities, then plan a targeted attack. Anyone with digital assets and the ability to pay a ransom is at risk. Criminals who used to snatch purses or sell drugs are now turning their attention to digital crimes because they have a better chance at getting away with it. They are intentionally demanding smaller payouts to avoid prosecution and media attention. Local authorities are powerless to stop it as perpetrators often digitally cross state/country lines, and the FBI is overrun with complaints that will likely never be assigned to an agent.
The good news is that most attacks are executed by criminals with little to no hacking skills. Following these basic security precautions can and will protect you from these types of attacks. We urge you to ensure that your IT has performed the following steps (in order of priority):
#1 Remote Desktop servers should never expose the default TCP port of 3389 to the public internet. The best way to protect your RDP server is to not expose any RDP ports to the public internet. You can use VPN instead. If you must expose RDP ports to the public internet, make sure you install a product like RDPGuard.
#2 Never use weak passwords on any Windows User Account. Many attackers use brute force attacks with common password dictionaries to gain entry and remotely encrypt files.
#3 Train every employee to never provide remote support access to an unsolicited caller. Many attackers will call your practice pretending to be your PM/EHR vendor and will guide unsuspecting employees into giving them access!
#4 Perform a Windows Update on all your workstations and servers. Many ransomware outbreaks take advantage of known vulnerabilities in Windows that have already been patched by Microsoft.
#5 Never allow users to browse the internet on a server. Servers should be inaccessible to users. Remote Desktop servers should have “Internet Explorer Enhanced Security Configuration” enabled and should be restricted to only allow approved websites.
#6 AVOID assigning drive letters to your backup drives. “Hackers” look for backup drives and will encrypt your backup files along with your EHR files if they find them.
#7 NEVER map network drive letters on workstations to your EyeMD EMR Image Server directory (or parent directories). Automated Ransomware software typically only infects workstations. It scans all of your workstation’s drives looking for documents to encrypt. Mapping Network Drives to your EyeMD EMR Image Server Directory allows ransomware to encrypt documents (PDF & JPG) linked to the EMR system.
R: Drive Mapped to \\SERVER\EyeMD_Data\ a shared folder of D:\EyeMD_Data\
R: Drive Mapped to \\SERVER\IMAGES\ a shared folder of D:\EyeMD_Data\IMAGES\
R: Drive Mapped to \\SERVER\D\ a shared folder of D:\
R: Drive Mapped to \\SERVER\OCT\ a shared folder of D:\EyeMD_Data\DEVICES\OCT\
NO drives mapped to \\SERVER\IMAGES\ a shared folder of D:\EyeMD_Data\IMAGES\
#8 IN ADDITION to backing up your data to a local drive (for fast recovery), make sure you are also backing up your data offsite. We recommend Amazon Glacier, however, there are many other reputable cloud backup vendors to choose from.
#9 Install/Update CryptoPrevent on all your workstations and servers, apply the default policies, and periodically check for updates. CryptoPrevent is a freeware software that automatically configures your operating system to block the execution of rogue applications by preventing the execution of programs in temporary directories and by using other effective techniques. It is by far the most effective way to prevent the destruction caused by Ransomware. Anti-Virus & Anti-Malware software programs can only protect you from known variants. By the time it is known, new variants emerge. Be advised that this tool may adversely affect logon scripts so please consult your IT before installing this application. http://www.eyemdemr.com/downloads/CryptoPreventSetup.exe
If you have been infected by Ransomware, DO NOT FORMAT/WIPE YOUR SERVER UNTIL YOU HAVE SAVED AN IMAGE OF IT! Please contact us before taking any action on your system. If you cannot recover your files from a backup or using any of the tools below, the FBI considers paying the ransom to be an option that your business should consider. Although a decryption key is usually provided after paying the ransom, there has been cases where a ransom was paid and no key was provided in return. You should also report the crime to the Internet Crime Complaint Center.
Cisco TALOS TeslaCrypt Decryption Tool
Kaspersky Ransomware Decryptor
If you have any questions regarding Ransomware, please help us keep our technical support lines available for EyeMD EMR related issues by directing these questions to your IT.