How to protect your practice from ransomware

Ransomware attacks are only increasing in complexity and becoming more efficient at exploiting network and system vulnerabilities, leaving dental offices with a significant clean-up bill. Modern firewalls are highly effective at defending against these types of attacks, but they need to be given the chance to do their job. 

How ransomware attacks spread

2018 has seen ransomware trending away from brute force, large scale attacks to focused, planned and manually executed attacks that are much harder to detect and block. Let’s take a look at how the different forms of ransomware operate and what your office should be doing to minimize vulnerability.

Targeted ransomware attacks

As the name suggests, targeted ransomware attackers have done their homework - they know who you are, they know your practice, if you are capable of paying the ransom as well as how much you might be willing to pay. They have gained access to your network and can see and control the damage they are causing. If they hit a roadblock, they work around it again and again until they succeed. They don’t go after difficult targets with advanced security - why bother? 

Trending article: The WORST infection control breach stories

There is enough low-hanging fruit for them to stay in business. Variants including Dharma, SamSam and BitPaymer are some of the most well-known and most successful types of targeted ransomware. While these examples vary in their scope and complexity, they share many commonalities in their methods.

A typical targeted ransomware attack looks like this:

• Gain entry via a remote file sharing or management feature like Remote Desktop Protocol (RDP) or FTP, through brute-force hacking or simply guessing a weak password.

• Escalate privileges until they are an administrator. (Attackers exploit system vulnerabilities to gain privilege levels that let them bypass security software).

• Bypass any security software. (With escalated privileges attackers can run tools such as third-party kernel drivers that can disable processes and force delete files, bypassing protections that stop them uninstalling security software directly).

• Spread ransomware that encrypts the victim’s files. Utilize network and host vulnerabilities or basic file sharing protocols to compromise other systems on the network and spread file-encrypting ransomware.

• Leave a ransom note demanding payment for files to be unencrypted.

• Wait for the victim to contact them via email or a dark web website.

More from this author: How a Business Associate Agreement can save your practice

Best practices for firewall and network configuration

It’s important to keep in mind that IPS, sandboxing and all other protection the firewall provides is only effective against traffic that is actually traversing the firewall and where suitable enforcement and protection policies are being applied to the firewall rules governing that traffic. So, with that in mind, follow these best practices for preventing the spread of worm-like attacks on your network:

• Ensure you have the right protection, including a modern high-performance next-gen firewall IPS engine and sandboxing solution.

• Lockdown RDP with your firewall. Your firewall should be able to restrict access to VPN users and whitelist sanctioned IP addresses.

• Reduce the surface area of attack as much as possible by thoroughly reviewing and revisiting all port-forwarding rules to eliminate any non-essential open ports. Every open port represents a potential opening in your network. Where possible, use VPN to access resources on the internal network from outside rather than port-forwarding.

• Be sure to properly secure any open ports by applying suitable IPS protection to the rules governing that traffic.

• Apply sandboxing to web and email traffic to ensure all suspicious active files coming in through web downloads and email attachments are being suitably analyzed for malicious behavior before they get onto your network.

• Minimize the risk of lateral movement within the network by segmenting LANs into smaller, isolated zones or VLANs that are secured and connected together by the firewall. 

• Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments to prevent exploits, worms and bots from spreading between LAN segments.

• Automatically isolate infected systems. When an infection hits, it’s important that your IT security solution be able to quickly identify compromised systems and automatically isolate them until they can be cleaned up (either automatically or through manual intervention).

• Use strong passwords for your remote management and file sharing tools that are not easily compromised by brute-force hacking tools.

If dental offices are unfamiliar with how to properly configure their firewall, work with a competent IT provider who is also familiar with HIPAA rules and regulations.