Microsoft Provides Hospitals with Tips to Combat Ransomware
As hospitals embark on treating coronavirus cases, criminal groups are taking advantage to launch COVID-19 related ransomware attacks targeting the healthcare industry.
Now more than ever, hospitals need protecting from attacks that can prevent access to critical systems, cause downtime, or steal sensitive information.
In this context, Microsoft suggested the following tips to help hospitals defend themselves against ransomware:
- Apply all available security updates for VPN and firewall configurations.
- Monitor and pay special attention to remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Turn on AMSI for Office VBA if you have Office 365.
- Harden internet-facing assets and ensure that they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
- Secure your Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don't have an MFA gateway, enable network-level authentication (NLA).
- Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use tools like Local Administrator Password Solution (LAPS).
- Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
- Monitor for the clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert "Event log was cleared" and Windows generates an Event ID 1102 when this occurs.
- Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other accounts with high privilege should not be present on workstations.
- Use the Windows Defender Firewall and your network firewall to prevent Remote Procedure Call (RPC) and Server Message Block (SMB) communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.