Hacked Gold Coast GP had data back-up but RDP suspected
The Gold Coast general practice that was hacked and held to ransom by suspected eastern European cyber criminals had an external data back-up system in place and is close to being fully functional, but the case provides a salutary lesson in following security best practice, its IT consultant said.
Jason Fillmore of Essential IT Services said the Miami Family Medical Centre did regular back-ups through both its Windows 2003 Small Business Server Premium package and to DAT external tape drives, but the hackers had been able to disable all of those systems during the attack.
A staff member had taken one of the DAT tapes home with them the previous evening so it is probable all of that data can be restored, but as it was only a data back-up and not a full system image back-up, it has taken some time for the practice to get up and running again, he said.
The hack, which is suspected of being a brute force attack via the practice's Windows remote desktop protocol (RDP) connection, happened on Saturday, December 1. Mr Fillmore said a staff member had tried to log in to the server from her workstation but couldn't, so she had gone to the server room and rebooted it.
“The first thing that comes up when you log in is a ransom demand,” he said. “It came up and said 'your computer has been disabled, the files have been encrypted, you can try to hack it but it will take 65 billion years to break it, or you can send us $4000'.”
The ransom demand contained a Gmail address and even a reference number for the victim to contact the hackers. The message also told the victims that the hackers could prove they could decrypt the files if necessary.
Mr Fillmore said he was not exactly sure how the hackers gained access to the system as he had not set it up, but he was fairly certain it was via an RDP connection. “Having an RDP port open is not really the best thing,” he said.
He believes the hackers used some sort of ransomware that brings up the message when users try to log in, but which also disables the start up of Safe Mode.
“How we got around it was we actually emailed the hacker because part of their message is 'for us to prove that we can decrypt the files, send us a couple of files and we'll decrypt them and send them back to show you we can do it',” Mr Fillmore said.
“David Wood, the owner, said to them 'how can we send this file if we can't get in?' So they sent us the unlock code that would take away that message. It was the trickiest bit of work I've ever seen. They were very thorough and had obviously given it a lot of thought. They disabled a whole pile of services on the server.”
Miami Family Medical Centre uses the practiX practice management software and a SQL database, and everything had been locked down, he said.
“They encrypted the whole SQL database. In fact, they encrypted about 6500 files on the server – they went through and searched for every doc, xls, txt, pdf, mdb, mdf – all of the standard data files.
“They are not actually taking the data anywhere and it is not being uploaded or anything like that. They just put this service in – the encryption – after they have disabled antivirus, disabled back-ups, disabled volume shadow copies. They did a whole pile of nastiness to the server. They run this service and it automatically does all of this encryption and converts all of the files. They are encrypting to a self-extracting archive that is password protected.”
While the practice was fortunate it had followed the correct procedure of taking a back-up tape offsite, it did not have online back-up and had not done a full system image back-up, as the DAT tape holds only 70GB, Mr Fillmore said.
“I've got them running on a temporary server and I've just set up a machine, installed SQL, put on their most recent back-up and got their practiX up and running, so they are 90 per cent functional at the moment. There are a few little pieces that aren't running on it but I'll put that off until we get the new server. I'm just waiting on some licences before I can install that.”
It is now known that a number of medical practices in Queensland have been similarly targeted, which Mr Fillmore believes is due to the perception that doctors not only need their data but that they can afford to pay the ransom.
Since the attack, Mr Fillmore has disabled RDP access for a number of his clients, and he suggests other practices do the same.
“Unless they absolutely, entirely need to be remote desktopped directly to the server, I would recommend they don't. I went around and disabled the port forwarding on a lot of my other clients' systems just until I know exactly how we handle this.”
Practices can't be cut off from the internet completely as they need access to Medicare and to receive pathology results, but he said unless practices really need RDP access direct to a server, then cut it off for the time being and instead use TeamViewer or LogMeIn or a similar system.
His advice is that there is no such thing as too many back-ups. “And it might be an idea to occasionally restore them to something and make sure it actually restores. Getting your data back is one thing, but to get up and running again in a timely fashion is probably just as important, so you need to have a disaster recovery plan in place. You need a system image back-up so you can get up and running pretty quickly.”
He said one of the most interesting if not amusing parts of the whole experience was the necessity for the reception staff to revert to paper-based appointments and records.
“They have probably never had to run with all systems on manual before. They were all looking a little bit dishevelled by the time we got them going again.”
HackLabs security consultant Chris Gatford said backing up is the most critical process an organisation can perform in the event of an incident.
"I recommend three back-up copies, one offsite and two on different media types," Mr Gatford said.
He also warned that RDP has been seriously targeted in the last year. "It has been well understood not to directly expose this to the internet of many years. A security review would have caught this risk. Having an independent assessment performed is absolutely critical these days."
He also said it is a fundamental mistake to assume that victims can take the attackers' word that the data has not been taken, only encrypted.
"These types of events along with data breach notification laws coming into effect shortly could actually close down businesses who don't take this seriously," he said.
Posted in Australian eHealth