U.S. healthcare institutions still face an increased threat of falling victim to the global WannaCry ransomware threat that has so far affected 150 countries.

“Recently, attackers have been scanning the Internet for Remote Desktop Protocol (RDP) servers open to the Internet. Once connected, an attacker can try to guess passwords for users on the system, or look for backdoors giving them access.  Once in, it is just like they are logged onto the system from a monitor and keyboard, the U.S. Department of Health and Human Services said in an alert issued this weekend.

[Also: Researcher finds ‘kill switch’, slows down global ransomware attack]

The Office for the National Coordinator for Health IT also issued the following warning to providers: “The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1).  For information on how to mitigate this vulnerability, review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010.  Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware.  Report any ransomware incidents to the Internet Crime Complaint Center (IC3).”

The ransomware is believed to have come from U.S. National Security Agency hacking tools that were released by Wikileaks in the spring.

While the ransomware’s spread was halted this weekend after a researcher stumbled on a way to block it by registering a domain name referenced in the malicious code, officials said it could likely pick up on Monday as workers log into machines for the first time since the attack hit Friday.

The attack largely crippled the U.K. National Health Service, taking about 20 percent of its trust offline. Global shipper Fed-Ex, the Russian Interior Ministry and Spain’s Telefonica utility were also affected. On Monday, French automaker Renault also said it had been hit by the attack.

HHS advised that U.S healthcare providers to disable remote desktop protocol services is they can, or to only allow RDP network access where needed. 

“Block other network connections using Access Control Lists or firewalls, and especially from any address on the Internet,” the agency said.

HHS also said it is taking the following actions:

– HHS Office of the Chief Information Officer implemented enterprise block across all OpDivs and StaffDivs and is ensuring all patching is up to date.

– HHS is working with Department of Homeland Security to scan HHS’ CIDR IP addresses through the DHS NCATS program to identify RDP and SMB.

– HHS notified VA and DHA and shared cyber threat information.

– HHS is coordinating with National Health Service and UK-CERT.

– HHS through its law enforcement and intelligence resources with the Office of Inspector General and Office of Security and Strategic Information, have ongoing communications and are sharing and exchanging information with other key partners including the US Department of Homeland Security and the Federal Bureau of Investigation.