Someone just hacked into your Server and is holding your Practice’s data for ransom. This is no joke. Want to learn how to prevent it?
The Start of the Problem
On March 13th 2012, Microsoft announced to the world that they discovered a vulnerability in their Remote Desktop Protocol (RDP). RDP is a pervasive standard used by many, many businesses to allow users to ‘remote’ into the office and operate a computer at the Practice as if they were physically there. It is free and included in all versions of Windows so it is widely used. Some estimates have over 36 million computers are accessible via RDP over the Internet in the USA alone. If you remote into the office from home, you are likely using RDP so read on. Elsewhere Microsoft stated that to their knowledge there were no known exploits at that time. Talk about waving a Red Flag in front of the hackers – yeesh. Microsoft simultaneously released a ‘patch’ for the weakness.
The Result
It was our experience that about 6 days later, a new onslaught of RDP based hacks began, presumably to capitalize on the newly described weakness. The exploits includes using other infected computers as Robots (BOTs) to randomly scan all the addresses on the Internet looking for a computer with RDP open in their firewall. Once a BOT discovers the RDP port is open, it and other BOTs then initiate a ‘brute force’ attack attempting to login to the computer using a list of common user accounts. They try accounts such as Administrator, Support, Test, Staff, User, and more. For each account they try, they throw a dictionary of passwords at it (literally all the words in a dictionary), plus some derivations along the way. If nothing is set to proactively stop them, the BOTs will continue relentlessly trying to login to your computer. They can make a try every one or two seconds, easily more than 40,000 tries per day. They work at it 24×7, they don’t get tired, and they don’t give up easily. If you have a weak password tied to one of these accounts it’s likely that they will break through (see my other article on what make a good password).
Once the BOT breaks through and actually logs in, it appears to hand over the attack to an actual person (all it would need to do is email the hacker your IP address, username and password). The hacker then literally logs into the console of your computer (just like you would from home) and then does whatever they feel like. We have seen them:
- Change all the passwords (to keep you out)
- Remove and disable any other remote access applications (so no one can see what they are doing)
- Remove all the backup software
- Delete all the backup files (taking away your recovery options)
- Delete all the Shadow copy backups (another form of recovery)
- Then, in a devilish twist, they encrypt all the files on your computer or server leaving them unusable.
- They install a pop up program that basically tells you that you are screwed, and they want you to send some amount of money to a bank in Europe, then they will send you back the decryption password to get your data back.
Some things we have learned about this attack
- If this happens to you, please don’t send them money in a vain attempt to recovery your data. Your money will be lost, it will encourage them to do more harm, and they will NEVER communicate with you since it would leave a trail to trace back to them. There are many articles on the Internet from people trying this as a last ditched attempt and they all end poorly.
- Most Servers are not set to automatically apply Windows Security Updates every day. This is by design, a typical precaution by IT people to guard against a new and untested update potentially screwing up a server. In this case, it might backfire holding off applying the Microsoft security update.
- The hacks are coming from other infected PCs all over the world like Russia, China, Australia and the Netherlands.
Steps to Minimize your exposure to getting hacked
Here are several steps that I would suggest you follow if you are worried about this for your home or Practice (and you should be worried about it).
- Regardless of whether you think you are vulnerable to external attack it’s wise to do the following:
- Apply the Microsoft Security update. This will likely require a reboot, so consider the right time to do it.
- Ensure that your Administrator password is a hard one (see my other blog article)
- Verify if you have the standard Microsoft RDP port (3389) open on your firewall to allow someone external to connect to your PC or server via the Internet.
- If you don’t know how to check this on your own, or just aren’t sure, ask your IT person to review your router for you (it only takes a few minutes).
- If it is closed, you can relax and this hack isn’t going to affect you.
- If you do have it open, read on…
- If you have RDP port 3389 open
- On the Computer that has RDP forwarded to it, open the Microsoft Event Viewer and have a look at the Security Log. Look for Audit Failures related to logins. If you are getting hacked now, you’ll likely see thousands of attempts pacing along every few seconds. Scroll back through the log over the last several weeks. You may be surprised and see thousands of attempts to break into your computer.
- Ask yourself if you NEED it open any longer. Often it was setup years ago and forgotten. If you don’t – then close it.
- Can you switch to a different remote access method like LogMeIn (which is free and doesn’t require opening the firewall to anything), and allow you to close the RDP port.
- If you HAVE to keep external RDP access open to your Practice, consider (with your IT person):
- Using the firewall router to do port translation. For example, open port 4000 externally and remap it through the router to port 3389 internally for access to your PC or Server. Since the external port 3389 will be closed, the BOTs won’t think you have RDP open, and will move on to the next poor soul
- Ensure you have hard passwords set for any and all user accounts that can be accessed through the RDP connection.
- If the computer is a Terminal Server on a Domain, you might consider disabling RDP access for the local Administrator account if not used.
- Enable automatic account lockout in the GPO for the Domain. If someone attempts to login to an account and fails 5 times in a row, it will automatically ‘lock out’ the account for 30 minutes. At least this will thwart the brute force attack (by slowing the pace of the BOTs so they will move on), and also give you some indication that an attack is underway when an account keeps relocking and you don’t know why.
- Consider closing the RDP external port anyways and use a VPN solution to securely connect your remote workers to the office before then start the RDP session.
- On the Computer that has RDP forwarded to it, open the Microsoft Event Viewer and have a look at the Security Log. Look for Audit Failures related to logins. If you are getting hacked now, you’ll likely see thousands of attempts pacing along every few seconds. Scroll back through the log over the last several weeks. You may be surprised and see thousands of attempts to break into your computer.
Will a backup save the day?
Since the Hackers destroyed all the backups attached to the Server at the time, I’d like to point out how ESSENTIAL an offsite backup is. Having a complete, image based backup (like one from Acronis) taken offsite each day would give you a good first step towards a complete disaster recovery. For those of you thinking that an Internet Backup would have saved the day, my opinion is a mixed ‘yes and no’. Even if you had all the data files out on the Internet, how do you plan to restore the computers Windows operating system back to its proper state? The hackers trash Windows when they encrypt the C drive. With nothing more than an Internet backup, you (or your IT person) would need to manually reinstall and reconfigure EVERYTHING on the computer, a time intensive and expensive process. Then, once Windows is finally configured, start the process of downloading all your data (slowly) from the Internet. This may take several days to complete depending on how much data you have. Most Internet backup services can expedite this by shipping you a drive with your data on it overnight, but you’ll still be without it all for a day or two depending on timing. If your budget allows I would suggest a Hybrid approach for maximum protection: Perform daily full Acronis backups to a portable USB drive (carrying the most current offsite), and a daily Internet backups that begins after the Acronis backup is completed. Even if you have a 3 day old Acronis to restore from (a quick restore which only takes an hour or two and puts back Windows and all your settings), you can infill just the missing 3 days of data fairly quickly from the Internet backup. Having a well thought out backup strategy is an essential part of your disaster recovery plan.
Security isn’t easy, and the challenges keep evolving. If you’d like some help with your Practices security, consider giving MME a chance to help. Just give us a call at 866-419-1102 or check us out online at www.mmeconsulting.com.
Want more Tips and Tricks like this? Sign up to to get updates by eMail as soon as we add them.
