Hacked Gold Coast GP had data back-up but RDP suspected

The Gold Coast general practice that was hacked and held to ransom by suspected eastern European cyber criminals had an external data back-up system in place and is close to being fully functional, but the case provides a salutary lesson in following security best practice, its IT consultant said.

Jason Fillmore of Essential IT Services said the Miami Family Medical Centre did regular back-ups through both its Windows 2003 Small Business Server Premium package and to DAT external tape drives, but the hackers had been able to disable all of those systems during the attack.

A staff member had taken one of the DAT tapes home with them the previous evening so it is probable all of that data can be restored, but as it was only a data back-up and not a full system image back-up, it has taken some time for the practice to get up and running again, he said.

The hack, which is suspected of being a brute force attack via the practice's Windows remote desktop protocol (RDP) connection, happened on Saturday, December 1. Mr Fillmore said a staff member had tried to log in to the server from her workstation but couldn't, so she had gone to the server room and rebooted it.

“The first thing that comes up when you log in is a ransom demand,” he said. “It came up and said 'your computer has been disabled, the files have been encrypted, you can try to hack it but it will take 65 billion years to break it, or you can send us $4000'.”

The ransom demand contained a Gmail address and even a reference number for the victim to contact the hackers. The message also told the victims that the hackers could prove they could decrypt the files if necessary.

Mr Fillmore said he was not exactly sure how the hackers gained access to the system as he had not set it up, but he was fairly certain it was via an RDP connection. “Having an RDP port open is not really the best thing,” he said.

He believes the hackers used some sort of ransomware that brings up the message when users try to log in, but which also disables the start up of Safe Mode.

“How we got around it was we actually emailed the hacker because part of their message is 'for us to prove that we can decrypt the files, send us a couple of files and we'll decrypt them and send them back to show you we can do it',” Mr Fillmore said.

“David Wood, the owner, said to them 'how can we send this file if we can't get in?' So they sent us the unlock code that would take away that message. It was the trickiest bit of work I've ever seen. They were very thorough and had obviously given it a lot of thought. They disabled a whole pile of services on the server.”

Miami Family Medical Centre uses the practiX practice management software and a SQL database, and everything had been locked down, he said.

“They encrypted the whole SQL database. In fact, they encrypted about 6500 files on the server – they went through and searched for every doc, xls, txt, pdf, mdb, mdf – all of the standard data files.

“They are not actually taking the data anywhere and it is not being uploaded or anything like that. They just put this service in – the encryption – after they have disabled antivirus, disabled back-ups, disabled volume shadow copies. They did a whole pile of nastiness to the server. They run this service and it automatically does all of this encryption and converts all of the files. They are encrypting to a self-extracting archive that is password protected.”

While the practice was fortunate it had followed the correct procedure of taking a back-up tape offsite, it did not have online back-up and had not done a full system image back-up, as the DAT tape holds only 70GB, Mr Fillmore said.

“I've got them running on a temporary server and I've just set up a machine, installed SQL, put on their most recent back-up and got their practiX up and running, so they are 90 per cent functional at the moment. There are a few little pieces that aren't running on it but I'll put that off until we get the new server. I'm just waiting on some licences before I can install that.”

It is now known that a number of medical practices in Queensland have been similarly targeted, which Mr Fillmore believes is due to the perception that doctors not only need their data but that they can afford to pay the ransom.

Since the attack, Mr Fillmore has disabled RDP access for a number of his clients, and he suggests other practices do the same.

“Unless they absolutely, entirely need to be remote desktopped directly to the server, I would recommend they don't. I went around and disabled the port forwarding on a lot of my other clients' systems just until I know exactly how we handle this.”

Practices can't be cut off from the internet completely as they need access to Medicare and to receive pathology results, but he said unless practices really need RDP access direct to a server, then cut it off for the time being and instead use TeamViewer or LogMeIn or a similar system.

His advice is that there is no such thing as too many back-ups. “And it might be an idea to occasionally restore them to something and make sure it actually restores. Getting your data back is one thing, but to get up and running again in a timely fashion is probably just as important, so you need to have a disaster recovery plan in place. You need a system image back-up so you can get up and running pretty quickly.”

He said one of the most interesting if not amusing parts of the whole experience was the necessity for the reception staff to revert to paper-based appointments and records.

“They have probably never had to run with all systems on manual before. They were all looking a little bit dishevelled by the time we got them going again.”

HackLabs security consultant Chris Gatford said backing up is the most critical process an organisation can perform in the event of an incident.

"I recommend three back-up copies, one offsite and two on different media types," Mr Gatford said.

He also warned that RDP has been seriously targeted in the last year. "It has been well understood not to directly expose this to the internet of many years. A security review would have caught this risk. Having an independent assessment performed is absolutely critical these days."

He also said it is a fundamental mistake to assume that victims can take the attackers' word that the data has not been taken, only encrypted.

"These types of events along with data breach notification laws coming into effect shortly could actually close down businesses who don't take this seriously," he said.

Posted in Australian eHealth

Comments   

# IT Consultant in shock 2012-12-14 15:00
We work with numeous Practices, and in all cases we have ensured sites follow a regimeted approach to backup and not just data, we use Shadow Protect to create full images, so we can get a site working in as little as 2hrs, or can pull a single file from the image. Not keeping up with the times is the lesson here.
# Macca 2012-12-15 10:35
This is criminal activity which should be reported to the police. They need access to the busted server in order to gather evidence. Switch the computer off, call the police and wait for advice. And don't forget that you can also access the experts as Auscert when time comes for recovery. www.auscert.org.au . This is far too important to leave to your normal everyday IT contractor who has in any case left your system in a vulnerable state.
# Vadim P. 2012-12-15 12:29
Any comments at the RDP situation? Is that the standard remote connect method used or is something else preferred?
# SJ 2012-12-15 12:38
Hi Vadim,
I guess the take home message is that RDP (or VNC etc) through an open router port using just a username and password is not sufficient. Coupled with additional layers of security such as SSH or VPN, there's no reason why it can't be used.
Cheers, Simon
# SJ 2012-12-15 12:42
Hi Macca, it's a good thought but in reality the police would find it difficult to catch a clever person doing this from within Australia, much less from some weird and wonderful impoverished European country. I'm hopeful that the mainstream media coverage of this incident will make practices more vigilant and will naturally put their IT support teams on notice.
# IT 2012-12-16 03:37
Lets not jump to conclusions and blame the IT support companies.

Alot of practices don't understand the security implications and as such stinge money left right and centre when it comes to IT. Its generally a matter of cobbling together the best you can for the least amount of money.

With regards to the RDP situation, there's a few things you can do. Obviously limiting the user accounts that have rights to actively login to the server is the first step, then insuring the accounts that do have strong passwords. You can also set lockout policies - just be careful not to lock yourself out. You can also change ports - IE connect over a random high numbered port say 60000 for example - that way if some one is scanning for common open ports including 3389 its not visible.

Finally look at programs such as team viewer or log me in which don't require any firewall ports to be open.
# Jeff Hawkes Computer Care Australia 2012-12-18 09:24
Remote Desktop was never designed to be left open over the internet. Some backyard IT companies leave it open so they can access the server for support. This is not needed at all! There is no excuse, a VPN needs to be setup. Routers have VPN servers built in, and so does Windows. By default, the adminstrator account should not be in the VPN group. This is because this is a special account that does not lock out after any number of password retries.
# IT Consultant - Wangaratta, Victoria 2013-01-01 12:51
As an IT Consultant who works for over 20 medical practices and specialists it is always our recommendation that a VPN is established to gain remote access to the clients site however this is often not as easily achieved. Doctors often log in from an array of locations such as hospitals, unis & airports and establishing a VPN through their firewalls (even SSL) is often a major task itself, leaving direct RDP often the only option.
By limiting who can gain access through RDP, using different ports and very strong passwords is a must (also on medical application within the session). Also give the user only very restricted access to the computer they are logging in to (eg. only give access to require applications and NOT system drives (eg C:-)) are also wise steps to take.

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2017 Pulse+IT Magazine
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.