Ransomware – an infection control story

Janine arrived at the practice early as she always did. She liked to have all systems up and running before the dentists arrived. As practice manager she felt responsible for the IT system, and she liaised with the practice IT consultant regularly to ensure it was functioning effectively.

When she logged on this morning however, a message appeared on the screen from the Australian Federal Police saying that the computer had been locked, that all activity on the computer had been recorded, and that to unlock the system, a fine would have to be paid. This was allegedly because the practice had violated copyright laws and someone had been viewing pornographic content.


Alarmed at this, Janine immediately rang Steve, the practice IT consultant.

“Is it true Steve? Has one of our staff been using our system illegally?” she asked.

“Let me have a look at it. I’ll use my remote login to check it out” Steve replied.

In the meantime, Tony, the principal, and Marla and Quong, the assistant dentists had arrived, and wanted to know why they couldn’t see the day list of their patients, and call up their records to start preparing for their arrival.

“How am I supposed to work without access to the patient files?” asked Quong.

Tony said “If the patients arrive before we get this fixed, we are just going to have to do our best without the system. Focus on what the patients are attending for, and use handwritten notes to record your observations and actions. Remember to add a note for each patient indicating that the system was down. We’ll scan these notes and add them in later when the system is restored.”

Steve rang back and spoke a little nervously to Janine, “I’m sorry to have to tell you that the system has been locked by ransomware. I’ll have to come and load up a backup file after we’ve done a complete flush of your current system.”

“What’s ransomware Steve, and how did it get onto our system? she asked.

“When I checked this out it seems that back in March 2012, Microsoft announced there was a vulnerability in their Remote Desktop Protocol. Since then hackers have been finding various ways to gain access to authorised accounts like Administrator, Staff or User. They throw a dictionary of passwords at these accounts, and if password protection is poor, they can get in and start doing whatever they like to your files. This ransomware approach doesn’t steal your files; it locks them with encryption which only the hackers know. They demand money to unlock your files, but this doesn’t mean they will actually do that if the money is paid.”

Janine was becoming more anxious, “What do we do then? Call the Police? How do we get our system back? I’ve got patients arriving now, and my dentists need the system to help them provide and record their care.”

“Thankfully we have been saving a complete offsite backup and we will be able to restore later today, although it will take me a while to go through all the processes,” Steve reassured her.

Janine reflected on what Steve had been saying, and felt she had to better understand the way this had come about.

“Are you saying that this happened because you left a network port open to be able to provide us with remote network support?

Steve paused and then offered his apologies, “I’m sorry Janine, I should have used another method to get remote access for your support services.”

After the dust had settled, Janine rang her friend Sally at a nearby practice and told her what had happened. Sally was very knowledgeable in regard to IT security within a practice and offered her the following advice:

“Regardless of whether you think you are vulnerable to external attack, ask your IT consultant to:

  • Apply the Microsoft Security update. This will probably require a reboot, so consider the right time to do it.
  • Ensure that your Administrator password is a hard one.
  • Verify if you have the standard Microsoft RDP port (3389) closed on your firewall to prevent someone external to connect to your PC or server via the Internet hack isn’t going to affect you. If it had been the standard access method replace it with LogMeIn or similar, which doesn’t require opening the firewall.
  • On the Computer that has RDP forwarded to it, open the Microsoft Event Viewer and have a look at the Security Log. Look for Audit Failures related to logins. If you are being hacked now, you’ll probably see thousands of attempts ticking over every few seconds. Scrolling back through the log over recent weeks, you could see many thousands of break in attempts.”

Sally said, “Our practice uses an offsite backup so we would probably be able to restore everything without too much trouble.”

Sally cautioned that “the offsite backup needs to be a complete, image-based backup if you are to have an effective disaster recovery plan. Given that the hackers are likely to have corrupted Windows when they encrypted the C Drive, an internet backup may not be good enough. Your IT consultant would need to manually reinstall and reconfigure everything on the computer, which could take some days and therefore be an expensive process.”

“Talk to your IT consultant about the difference between these backup methods and go for the one that will let you restore everything in one day”, Sally urged. She also advised Janine to report the situation to the police and to notify other relevant organisations so that information about the attack could be shared with other practices, including advice on how to avoid similar events.

Garry Pearson


While the practice in this story may be imaginary, the circumstances are real and the advice is sound. Computer infection control is another important risk management area for every practice. Make sure one of your staff is assigned responsibility for it, that they are given training support, and that it is addressed as a key part of your practice system. Practices using non-Microsoft systems may also be vulnerable, and specialist advice is required in all circumstances.