You’ve Been Hit with Ransomware, Here is How to Recover

One of your employees comes to you and says there is a funny message on your computer. You make your way to the computer in question to find a message saying that all of this computer’s files have been encrypted and are now inaccessible. To get them back, you must send a certain amount of Bitcoin to the attackers. As you read this, other employees come to you saying they have the same message. It is then that you realize that your practice has been hit with ransomware. Read on to find out how you recover from ransomware attacks and get your practice up and running again.

If you are in this situation, then you are likely beginning to panic. But stay calm and follow the steps outlined below. This is your best chance at saving your data and get back to full operations again.

Stop the spread of the infection

If all of your computers haven’t yet been infected, that is a good thing. Begin by turning off all of your computers. Be sure you turn them all of including your servers. You can also turn off your internet access by unplugging the power from your modem or router. At this point, if you have IT support, contact them and update them on the situation. You will need them to recover from ransomware infections. If you do not, then follow the steps below as closely as possible.

Remove the infection

Turn one computer back on and boot into Safe Mode. You can do this by pressing F4 as the computer boots back up. This will bring Windows 10 up in Safe Mode. Safe Mode is a limited version of Windows without most device drivers or programs that launch at startup. At this point, you will need to run anti-malware software. Ideally, you would have the software installed on the computer already. But if you don’t, then you will need to download it from a safe, uninfected computer and copy it to this computer with a USB flash drive.

Install the software and run it. It will look through all of the files to see if there is any malware on the computers. When the scan finishes, remove any malware that it finds. Reboot the computer into Safe Mode again and let it scan again. Once you have been given a clean bill of health from your anti-malware software, reboot the computer into normal mode.

Ideally, you would want to use more than one of the programs listed below to scan your computer. This makes sure your scan was thorough and all traces of the ransomware have been removed.

Go to each computer, one by one, and repeat this process until all have been cleaned.

Here are some programs you can download for free to help you clean your computer:

Malwarebytes

SpyBot Search & Destroy

HitManPro

Emsisoft Emergency Kit

Restore your data

Just because we removed the ransomware, that doesn’t mean your data is back to normal. Even if the ransomware is gone, any files that were encrypted before removal are still encrypted. Go through each computer to see what has been encrypted. This may take time especially if you have a large number of computers or servers with lots of files.

Once you have identified what has been encrypted, go to your backups and begin restoring those files. If you don’t have a backup, or your backup was encrypted before you found the ransomware, then you need to make a decision on the importance of your data. Without a backup, there is a low chance you will get your data back without paying the ransom. Depending on the type of ransomware that was used to attack you will determine how easily your data can be decrypted.

Here are some tools you can use to see if your encrypted data is salvageable:

Kaspersky Decryptors

Emsisoft Rescue Kit

No More Ransom Project

Watchpoint

Immunize your network from future attacks

After you have removed the infection and restored your office to full operations, its time to figure out how the attack occurred.

Perform a Risk Assessment on your office and network. A Risk Assessment performed properly will identify the areas that you need to address.

Ransomware infects a network through a variety of means. These include a phishing email that is sent that either entices a user to click on a link to download the malware or the email has an attachment that contains the malware itself. Another common way to breach a network is with open Remote Access ports open to the Internet. If you have users who access your office from outside the office using Remote Desktop Protocol (RDP), then this may have been how the attacker gained access. It is extremely unsafe to have remote access enabled on the Internet without using a Virtual Private Network (VPN). Some variants of ransomware will use vulnerabilities in Microsoft’s RDP to break into your network and spread from there.

Once you have identified how the attack happened, plug the hole. If it was an email attack, install email filtering software that will watch for these types of attacks. Contact your email hosting vendor and ask them what they offer.

If it was an RDP attack, disable RDP and install a firewall with VPN capability. Then set up users to access the VPN before launching their RDP session. VPN clients are available for Windows, Mac, IOS, and Android for free.

Finally, make sure you are using a commercial grade anti-malware software. Don’t use home versions or free software to protect you. Most free software doesn’t perform real-time scanning on your system to protect it 24/7. They only perform scheduled scans and this won’t stop an attack that is occurring.

Was this a breach under HIPAA regulations?

According to The Department of Health and Human Services, a ransomware attack is considered a security incident under HIPAA.

From HHS:

“The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. See the definition of a security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).”

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

HHS considers ransomware to be a breach unless the practice can prove with a low probability that the PHI has been compromised. If the practice can’t do that, then the breach must be reported to HHS and the Breach Notification Rule is required to be followed.

Here is a link to HHS’ Ransomware Fact Sheet

The easiest way to recover from ransomware attacks

The easiest way to recover from ransomware attacks is to stop them from occurring. This requires taking precautions to prevent attackers from gaining access to your network on several fronts.

The first step is to perform your Risk Assessment. What issues did it uncover for your practice? So you have a commercial-grade firewall in place? Does it implement intrusion detection and prevention technologies?

Do you have email filtering to block phishing and spam emails?

Do you have endpoint protection installed on every computer (including servers) on your network? Make sure it is a commercial anti-malware software product and not free or home versions. Does it scan in real-time to offer maximum protection?

Do you provide security awareness training to your staff? Staff mistakes are often the biggest cause of a ransomware attack. Training staff on how to spot suspicious emails will help empower them to protect your practice.

Does someone monitor your firewall and computer logs? Logs will often be filled with notifications of an attacker trying to gain access. If someone is watching these logs, then you can stop them before they gain access.

Do you have a reliable backup system in place? Does it use the 3-2-1 system to ensure that you always have a safe and secure copy of your data available should you need it?

Even if you are using a cloud-based EMR, you need to implement these steps. Many practices mistakenly believe using a cloud-based EMR removes the chance for an attack. This is simply not true. What an attacker will do is compromise your network and then use your own computers to access your online EMR data. One of the largest EMR data theft from a practice was Peachtree Orthopedics who used an online EMR. Their data was stolen over the course of months and put on the Dark Web for sale. The EMR wasn’t breached. The attackers simply compromised the computers at the practice and used them to steal all of the data.