The Open Door: How One Forgotten Remote Login Locked a Dental Practice Out for 9 Days

Ransomware rarely kicks the door down. More often it finds a door someone left unlocked years ago and forgot about. That is exactly what happened to a 12-person dental practice that lost access to every patient record, every X-ray, and its entire schedule for nine days. Here is the chain of events, and the handful of controls that would have stopped it.

The setup

Years earlier, an IT contractor had turned on Remote Desktop on the front-desk computer so he could fix things without driving over. The contractor moved on. The remote login stayed on, exposed to the open internet, protected by a single password that had never been changed.

The trigger

Automated bots scan the internet around the clock looking for exactly this. They found the open login, guessed the weak password in a matter of hours, and quietly let themselves in after business hours. Over a weekend the attackers mapped the network, found the practice management server, deleted the local backups they could reach, and triggered the encryption. Staff arrived Monday to locked screens and a ransom note.

Why it worked

  • An exposed remote login. Remote Desktop open to the whole internet is one of the most common ways ransomware gets in.
  • A weak, unchanged password and no MFA. One guessed password was the only thing standing in the way.
  • Backups the attacker could reach. The only backups were on the same network, so they were encrypted too.
  • No alerting. A weekend of failed logins and a successful one at 2 a.m. raised no alarm.

The fix, and what it would have cost

Closing the exposed remote login (or putting it behind a VPN), adding multi-factor authentication, and keeping one backup copy offline or immutable would have broken this chain at three separate points. None of it is expensive. The practice instead paid for emergency recovery, lost nine days of revenue, and had to notify patients of a privacy incident. The bill ran well into the tens of thousands of dollars.

The hard part is not the tools. It is knowing which forgotten doors are still open in your business before someone else finds them. For the full step-by-step, see our Playbook on ransomware readiness.