Remote Desktop Servers at Risk for Targeted Ransomware Attacks
Cybercriminals are specifically targeting medical practices of all sizes at an alarming rate. Although they are employing a variety of techniques to gain entry into your network including social engineering, trojan horses, and others, they are realizing that the easiest way to gain entry into your system is by attacking remote desktop servers using brute-force password guessing attacks. Security reports estimate that over two-thirds of current ransomware attacks occurred over RDP. Many attempts last weeks to even months. We witnessed a single server being attacked from 329 different IP’s… just over a weekend! Even if they are never successful in guessing your server’s password, their relentless attempts abuse server resources (CPU, RAM, disk space and network bandwidth), resulting in slower than expected performance on your system. If they successfully gain entry into your system, they will either encrypt your files and demand a ransom, or they will attempt to gain access to your patient’s records by following up with a brute-force attack on your SQL database server.
Although we recommend that you do not expose RDP ports to the public internet, RDPGuard (http://www.rdpguard.com) is a low-cost solution that effectively thwarts these types of attacks. RDPGuard is a host-based intrusion prevention software system that protects your Windows Server from brute-force attacks on various protocols and services, notably RDP & MS-SQL. It monitors the logs on your server and detects failed login attempts. If the number of failed login attempts from a single IP address reaches a set limit, the attacker’s IP address will be blocked for a specified period of time (we recommend 72 hours after 10 failed login attempts in the last 24 hours).
EyeMD EMR Healthcare Systems has extensively tested this solution and has found it to be highly effective & efficient in thwarting these types of attacks. After extensively researching all types of software & hardware based solutions to address this risk, we have concluded that there is no better way to protect your publicly exposed remote desktop server. Especially considering that this solution will only cost your practice less than $80. We recommend that you implement this software product on all publicly exposed remote desktop servers immediately. We also recommend that you configure the RDPGuard windows service to automatically restart after a failure, and that you ensure you are using version 5-1-8 or greater (which resolves a bug that may cause the RDPGuard service to terminate unexpectedly). You can download this version at https://rdpguard.com/download/rc/. Your IT MUST enable Audit Logon Failures for both the Default Domain & Default Domain Controller GPO settings in order for this solution to work properly (Computer Configuration-Policies-Windows Settings-Security Settings-Local Polices-Audit Policy-Audit Logon Events & Audit Account Logon Events). If you need help configuring RDPGuard, we can refer you to qualified IT that can perform this service for you.
If you have not already, we recommend that you visit the Client Newswire in EyeMD EMR and read the newswire article titled “Ransomware – Don’t Be the Next Victim” for additional tips on stopping these types of attacks. Although this solution can stop an RDP brute force attack, it is not intended to protect you from other types of attacks.
After April 30th, 2018, our Server Monitoring System will be updated to verify that RDPGuard is installed on all active remote desktop servers (if you signed up for this free service). If RDPGuard is not present, the monitoring system will send you intermittent e-mail alerts until you either opt-out or install RDPGuard. If you prefer to not receive this server monitoring alert, please send an e-mail to firstname.lastname@example.org with “No RDPGuard Monitoring” in the subject line.
If you have any questions regarding Ransomware or the RDPGuard product, please help us keep our technical support lines available for EyeMD EMR related issues by directing these questions to your IT.