Ransomware – The latest in best practices

Introduction

Ransomware is a malicious attack that is done to extort a dental office out of money.  The attack requires only the briefest window of opportunity to perform and there is little to no hope of tracking down the hackers or recovering your data.

In this article we are going to 1) discuss the attacks done on several Arkansas-based offices, 2) examine the methods of breaches, 3) the failures of the current security best practices and 4) review both the newest security guidance for 2021 and the next-generation ransomware that is spreading now.  Lastly we will revisit those basic security things that you should be doing to keep your firm safe.

Three attacks…

Attack 1 – Office manager Mary wears multiple hats and to keep things simple tends to re-use the same password for everything.  At some point her password is compromised on a shopping website and hackers gain access to her email using the same password. In the email are the instructions to remote into the work pc.  The hackers remote into the OM’s work PC and encrypt all the data.

Attack 2 – Billing Coordinator Sue works in accounts receivable and rarely has to interact with customers or vendors.   She gets a phone call transferred to her from what is stated to an insurance company representative needing to complete paperwork so that Sue can receive payment on a case.  Sue is instructed by the scammer to provide her email, then to open a word document attachment with a hidden piece of code on it.  Despite the security warnings, the caller calmly walks her through clicking OK and YES to continue as it is for HIPAA protection.  Sue encrypts all the files and does not even realize it happened.

Attack 3 – IT Director Craig has built a 7-site corporate network from the ground up and runs a very tight ship.  However, Craig’s corporate offices were purchased by a larger management company that grew faster than their IT team could keep up.  About 6 months later an office in a totally different state gets infected and the hackers spread laterally across the nation and into Craig’s network.  Thousands of computers are knocked offline.

How did the attackers in?

These 3 cases demonstrate that ransomware can hit anyone.  The solo practitioner, the multi-site office and the management company were all unable to stop ransomware despite having the 2020 best practices implemented.   The office manager had two-factor authentication, but her email was compromised.  The Billing coordinator had plenty of spam filter warnings, Antivirus notifications and cautions about opening untrusted word documents- but she still felt it was the right thing to do.  The IT director with all the best security that money could buy could not block out his trusted business partners and vendors from getting infected.  These modern cyberattacks leverage information from other breaches to gain a foothold in your network, then with a little effort they can then gain one or two additional key pieces of information and when combined they result in a successful breach.   In August of 2019 400 dental offices were encrypted when their IT support/backup Provider was compromised, and the management tools pushed out ransomware to all their client’s computers.  A modern ransomware attack is when the data of 2 or 3 insignificant breaches are put in the hands of a thinking scammer.

The new (Oct 28 2020) guidance:  Zero Trust

The US Cybersecurity & Infrastructure Security agency posted an alert titled “Ransomware Activity Targeting the Healthcare and Public Health Sector” in Oct of 2020.  The complete article is here:  https://us-cert.cisa.gov/ncas/alerts/aa20-302a.   In this article we find new language describing a different approach to handling security- an application whitelist.

CISA Best Practice:  “Implement application access to only allow systems to execute programs known and permitted by the established security policy.”

This new model is based on maintaining a whitelist of trusted programs and keeping any program that is not expressly allowed from running.   You can sort of think of your computers as more like appliances, a microwave oven has a very small attack surface as compared to a windows XP computer that is connected to an old Pano.

How can Dental offices implement this new best practice for ransomware prevention?

While this isn’t an official endorsement, we do have an opportunity to see how Standard Computer performs this implementation on their Dental offices.   First, an agent is installed on all the computers and servers that sits back and monitors every application that runs.  This process builds up a list of applications that are “trusted” by the office in their normal day to day operation.   After all the programs are accounted for they flip a switch and no new software is allowed to run.   If a new application is required, then the computer can be put back into learning mode for 15 minutes to learn the new application.    Standard Computer maintains a proprietary whitelist of trusted applications for all major dental applications and whenever a dental offices needs something new, Standard trains their database so that it will be a benefit to all.  (See their ad on page X)

The approach taken by Standard Computer is taken further by another vendor called Carbon Black which provides the same level of application whitelisting but also a 24×7 Network Security Operations Center and paid consulting for larger health care organizations such as hospitals

The Next Generation Threats

There are 3 new threats emerging out of Ransomware that could become popular in 2021 First, hackers are spending more time enumerating the targets so that they can eliminate backups from being a recovery option.  Second, hackers are extracting stored passwords from internet browsers, uploading the documents folder, and coping the email database for further exploitation of the office.  Lastly, hackers are paying commissions which could be a temptation for low-paid employees with high level access to folders.   If your Dental practice has been hit with Ransomware or if you are concerned about your preparedness for it, Sean Kubin form Standard Computer is offering a free consult on page X in this publication.

Lastly, here is the checklist for security best practices you need to have in place.

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
    • Basically, every Tuesday for Microsoft.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
    • This is a reversal of previous recommendations that said to disable “local admin” privileges. The problem is that hackers learned to put keyloggers on locked-down computers, then cause a minor issue which required and administrator to enter a password.  The stolen password would then be used to gain access to other systems.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
    • Avoid using email as a secondary login factor. A txt or token generator is best.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
    • RDP is a great product and staff loves using it but the risks are to high.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
    • This is the new guidance. Application whitelisting and remote access whitelisting.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
    • This one doesn’t apply to smaller Dental offices but is applicable to offices that have dedicated back-office staff.
  • Audit logs to ensure new accounts are legitimate.
    • Closing out old accounts prevents an attack vector.
  • Scan for open or listening ports and mediate those that are not needed.
    • This is usually done to maintain PCI compliance as well.
  • Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
    • Its interesting how much data is not on the server and not backed up. Even OPs can have heavily customized templates setup by hygienist that are worth backing up.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
    • If you use a cloud-based email (office365, Gmail, etc) then this doesn’t apply to you.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
    • There are plenty of antivirus scanners, but Malwarebytes is the best Anti-malware solution. MBam is a pound of cure, it can break things so be careful running it.


Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
    • Don’t just have one backup have 2 or 3 different backups. Don’t mistake having 3 backups for having 3 copies of the same backup- this will just cause a cascade failure when the first one fails.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
    • There are two options usually. Option 1. Recover.  A loaner server is deployed and the backup is spun up, computers are all wiped and reload.  This takes a day or two max.  Option 2. Rebuild.  If all you have is your PT database backed up, then you rebuild everything and can reopen in a week to 10 days.  It will be buggy for a month.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
    • Make sure your staff doesn’t allow vendors to install remote access software on the server. Tell your staff that these requests must go to the IT department.  I’ve had a OM call quickbooks and then conference us on the line to get them remoted in and we found out that the quickbooks tech was a scammer.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.
    • If ransomware pops up and you just happen to see it being deployed the best thing to do is to unplug the network switch. That will isolate all the computers from each other and is easy to plug back in.  Don’t have staff ripping out cords from the back of their computers in a panic.