U.S. healthcare institutions still face an increased threat of falling victim to the global WannaCry ransomware virus that has so far affected 150 countries.

“Recently, attackers have been scanning the Internet for Remote Desktop Protocol (RDP) servers open to the Internet. Once connected, an attacker can try to guess passwords for users on the system or look for backdoors giving them access. Once in, it is just like they are logged onto the system from a monitor and keyboard," the U.S. Department of Health and Human Services said in an alert issued this weekend.

[Also: Researcher finds 'kill switch', slows down global ransomware attack]

The Office for the National Coordinator for Health IT issued the following warning to providers: “The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware. Report any ransomware incidents to the Internet Crime Complaint Center (IC3).”

The ransomware is believed to have come from U.S. National Security Agency hacking tools released by Wikileaks in the spring.

While the ransomware’s spread was halted this weekend when a researcher stumbled on a way to block it by registering a domain name referenced in the malicious code, officials said it could likely pick up on Monday as workers log into machines for the first time since the attack hit Friday.

[Also: The biggest healthcare breaches of 2017 (so far)]

The attack largely crippled the U.K. National Health Service, taking about 20 percent of its trusts offline. Global shipper Fed-Ex, the Russian Interior Ministry and Spain's Telefonica utility were also affected. On Monday, French automaker Renault also said it had been hit by the attack.

HHS advised U.S healthcare providers to disable remote desktop protocol services if they can or to only allow RDP network access where needed. 

“Block other network connections using Access Control Lists or firewalls and especially from any address on the Internet,” the agency said.

HHS also said it is taking the following actions:

- HHS Office of the Chief Information Officer implemented enterprise blocks across all OpDivs and StaffDivs and is ensuring all patches are up-to-date.

- HHS is working with Department of Homeland Security to scan HHS’ CIDR IP addresses through the DHS NCATS program to identify RDP and SMB.

- HHS notified VA and DHA and shared cyber threat information.

- HHS is coordinating with National Health Service and UK-CERT.

- HHS, through its law enforcement and intelligence resources with the Office of Inspector General and Office of Security and Strategic Information, have ongoing communications and are sharing and exchanging information with other key partners including DHS and the FBI.

  Learn more about keeping your data safe.  Webinar: Preventing and Dealing with Ransomware Attacks June 15, 2017.  Register here.

Twitter: @HenryPowderly
Contact the author: henry.powderly@himssmedia.com