On May 12, 2017, the Office of Information Security and Information Services received several media reports and government alerts informing us of a worldwide cyber-security attack targeting healthcare facilities. The payload of these attacks uses malicious software (Malware), typically referred to as ransomware, to encrypt files on end-user devices and servers. Reports suggest that as many as 150 countries have been impacted by this malware and continues to spread throughout Europe. There have also been several unconfirmed reports that U.S. facilities have been impacted as well.
Faculty, students and staff are reminded to do their part in protecting against this threat:
- Scrutinize all email (both personal and business) and use extreme caution when clicking on links or opening attachments.
- For disaster recovery purposes, avoid saving UTMB data on your desktop or laptop. UTMB information should be saved in your “H”, “S” or iSpace drive. This allows for data recovery in case you fall victim to a ransomware attack.
To mitigate the risk associated with this threat, emergency security enhancements to UTMB's computing environment is currently underway. Approved enhancements include the following:
- Emergency security patch application to affected end-user devices and servers. Microsoft released a patch March 14, 2017 to address vulnerabilities exploited by this malware. Information Services is identifying and applying the patch to all systems that were not previously patched. Impact to the user community is minimal. Patch application will force a reboot.
- Microsoft’s Advanced Threat Protection (ATP) was enabled across the UTMB enterprise. Information Services had been testing this advanced capability for its own staff for the last several months and no issues were identified. ATP inspects all inbound internet email for malicious links and attachments. Malicious links will be blocked and users will be redirected to a warning webpage informing them of the hazard. Malicious attachments will be stripped away from the email and the body of the email will be delivered to the intended recipient without the attachment. This control is mostly transparent, however users may notice that internet links are pointing to microsoft.com instead of the original address. A slight delay in email delivery may occur as well. In addition to patching, this may be our best prevention solution because this is the primary attack vector used in the attacks on May 12th.
- Forced update to Malwarebytes, our anti-malware software, is being applied. This update will include the installation of an anti-ransomware application to end-user devices. This enhancement is mostly transparent to the end-user, however a new icon will appear on their desktop. For Windows 7, 32 bit computer configurations, the installation of the anti-ransomware software has caused issues. Desktop support staff continue to remediate systems that were negatively impacted by the installation of the anti-ransomware software.
- Firewall Intrusion Prevention Service (IPS) has been updated to block ransomware attacks and any attempts to exploit the vulnerabilities that is targeted by this malware. This service was previously in a monitor mode only and has been moved to a protect mode meaning automatic protections would be applied if anything were detected. We do not anticipate any impact to the user community but side effects could be possible.
In conclusion, these enhancements should have minimal impact to the UTMB population and will greatly reduce risk to our environment. Information Services and the Office of Information Security will continue to review the effectiveness of current controls and take the appropriate steps to enhance where needed.
For further information, contact the UTMB Service Desk at 409-772-5200 or the Office of Information Security at 409-772-3838.