Computer and Data Safety and Ransomware

One of our LDC members reported the following in relation to Computer and Data Safety:

I own a dental practice in South Wales and we recently had a computer problem which left us very exposed and we potentially could have lost all our data for 10 years! I thought if I shared my story with my colleagues it may prevent other practices going though the same ordeal that we are still going through.

Firstly a small background to our practice; we have been fully computerised using software from a reputable dental software supplier for 10 years and had digital radiographs for 7 years. We employ the services of a local computer firm for all our computer hardware and software and they usually deal directly with our supplier on our behalf to organise our back up and virus protection.

I never really got too involved, we have had all new computers and server in the last 3 years, to my basic understanding we had 2 hard drives in the server and one backs up to the other every night. Then twice a week we back up onto a removable hard drive and we have 2 of these that are swapped and the one that is not being used is stored offsite. We have Norton antivirus software and 2 firewalls (whatever they are!).

Four weeks ago we turned the computers on a Monday morning and everything we tried to open requested a password! We phoned our supplier – they couldn’t do anything because they couldn’t log in so we called our computer firm out. It took a few hours to discover that we had been the victims of a ransom virus and that the criminals wanted 3000 USD to give us the password! They had also deleted and encrypted all hard drives and memory storage devices that were on the server including the external hard drive back up.

For the more technically minded of you the virus wasn’t a virus but a malware and these are often not detected by even the best antivirus programs. It was obviously not detected by Norton, neither did Kaspersky antivirus detect it but it was finally identified by Malwarebytes.

We do not know how the infection happened, or when it happened, it is likely that someone opened an email attachment, or clicked on a false link on a webpage.

When I spoke subsequently with our software supplier they informed me that lots of practices had been hit, I asked if anyone paid the ransom and they said that some had and they had nothing back, some had paid and it had worked but they had been re-targeted a month later demanding more money. They informed me that some practices had lost all their data!

Fortunately for us our second external back up had not been backing up properly for 6 weeks so had not been infected. This still left us with losing 6 weeks’ worth of everything but wasn’t as catastrophic as losing 10 years worth of data! However our appointment book was booked up about 8 weeks in advance and a lot of patients book  their recall and hygienist appointments 6 months in advance and all of these appointments have been lost, so on a daily basis we don’t know who is going to walk in through the door, which dentist they are expecting to see, and what happened at their last appointment and so what they are expecting to have done and on which tooth! We are fortunate that the x-rays weren’t affected so these are safe. Needless to say our UDA target/figures are all messed up and we will have lost a lot of UDAs because we don’t know who was in on the days that we lost from the last transmission date.

We had to notify the police, the Information Commissioner Office and the LHB.

What I have learnt – don’t assume that you are safe! Your computers are at risk from a lot more than burglaries and fire! Ensure that you have many backups in various places, internal hard drives, external hard drives and cloud backups, and that you have a longer term backup so that you don’t risk losing everything! Also antivirus and anti malware is a minimal requirement, and preferably have your server separate – so that no one can use it to open emails, go on the internet etc.

I still look blank when computer people talk computer at me, and no matter how hard I try to get them to explain and talk English to me they still seem to talk computer – but I’m trying!

__________________________________________________________________

Having heard this another LDC member has made some suggestions as follows:

Viruses and Ransomware

CryptoWall Ransomware is distributed sometimes as a fake update for applications such as Adobe Reader, Flash Player or the Java Runtime Environment. These types of updates may be offered in pop-up windows when you visit unsafe websites or when a “Potentially Unwanted Program” is installed on your computer. To be safe only ever install from the main website.

Ransomware is typically delivered via spam email opportunistically and the typical overall themes are shipping notices from delivery companies, tax refunds etc..

These use the “ability” of windows to hide common file extensions. No one would open an exe file attached to an email like invoice.exe but if the name is changed to invoice.pdf.exe and the extension is hidden it looks like a “safe” pdf file.

It is a good idea to change default behaviour to show the File Extension- in Windows 7

  • Click the Start menu. …
  • Type “folder options” (without the quotes). …
  • A dialog box with the title “Folder Options” will appear. …
  • View tab- Click to uncheck the box for “Hide extensions for known file types”.
  • Click the “OK” button at the bottom of the dialog box.
  • Any files now arriving as email attachments will now show if they are .exe .

Other advice includes storing several backups in an offline environment because many ransomware variants will try to encrypt data on connected network shared drives and connected removable drives. In order to be effective, a backup must be “serialised”, with older versions of files available in case newer versions have been corrupted or encrypted however the latest Locker can lay dormant on your system for many weeks or months infecting every backup. Multiple removable drives or USB sticks that are rotated in their use are obviously better.

Usual anti-virus programmes do not recognise the exe files as a virus as technically they are not a virus as they do not replicate themselves and are just an executable encryption programme. Malware Bytes can detect them but be careful where you download this from as it often comes bundled with advert pop-ups. There is a free trial version which is clear and simple to use.

Once the backups are done and stored securely, checking that the backups are working and that you can recover from them on a scheduled basis is sensible.

One suggested prevention is to have a simple stand alone computer (running Linux?) with its own printer to be used for all day to day practice e-mails and internet browsing, not on the network.

The practice server and networked workstations only ever connect (perhaps via a separate line and modem-router) to transmit forms or allow online support, nothing else, no staff using the internet at lunchtime.

Finally asking all contacts to only send documents as links to their websites or as e-mails with NO attachments would also reduce the chance of accidentally running a suspect attachment.

 

On July 23, 2016, posted in: Latest News by
Comments are closed.