Hospitals and healthcare systems should review Microsoft’s latest guidance on ransomware prevention

source Beazley Breach Solutions

Healthcare organizations are particularly exposed to ransomware attacks that target network devices right now, according to Microsoft Threat Intelligence. As remote working has ramped up for many organizations during the COVID-19 pandemic response, threat actors are targeting network devices like gateway and virtual private network (VPN) appliances to exploit vulnerabilities, gain a foothold in networks, and launch ransomware.

Microsoft recently sent notifications to several dozen hospitals that it had identified as having potentially vulnerable infrastructure, with recommendations about how to mitigate vulnerabilities and prevent attacks. Beazley Breach Response (BBR) Services strongly encourages every healthcare organization to review the guidance Microsoft has made available on the Microsoft Security blog.

Microsoft recommends focusing on the following steps immediately to reduce risk from threats that exploit gateways and VPN vulnerabilities:

  • Apply all available security updates for VPN and firewall configurations.
  • Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
  • Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
  • Turn on AMSI for Office VBA if you have Office 365.

Read these Microsoft posts for further information about mitigation and prevention:

If you experience any type of ransomware incident, be sure to contact us so we can help you can obtain the skilled resources to investigate and get you back up and running.