More than 100 Dental Practices Infiltrated in Ransomware Attack on Managed Service Provider

A Colorado IT company that dedicates itself providing managed IT services to dental clinic has been infiltrated with ransomware. Via the company’s systems, over 100 dental clinics have also been targeted and have had ransomware deployed.

The attack on Englewood, CO-based Complete Technology Solutions (CTS) took place on November 25, 2019. According to a report published on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to meet the ransom demands.

In order to supply IT services to the dental clinics, CTS can access their systems via a remote access tool. That tool seems to have been abused by the hackers, who used it to access the systems of all its clients and use Sodinokibi ransomware.

Some of the dental clinics targeted in the attack have been able to rescue data from backups, specifically, dental practices that had a copy of their backup data stored safely offsite. Many dental clinic remain without access to their data or systems and are turning patients away due to constant system outages.

KrebsonSecurity says some of those clinics are trying to negotiate with the hackers to obtain keys to unlock their own data.

Recovery has been made much more difficult in some cases due to multiple ransom notes and file extensions, which has meant it has only been possible to recover some of their encrypted data after meeting the ransom demand. That has meant paying again for additional keys to unlock the encrypted files. Black Talon Security told KrebsonSecurity that one dental clinic had 50 devices encrypted and received more than 20 ransom notes. A number of payments had to be made to rescue records.

The attack is similar to the one that was carried out on the Wisconsin firm PerCSoft, through which around 400 dental clinics were attacked with ransomware in August 2019. PerCSoft supplies digital data backup services for dental clinics. Sodinokibi ransomware was also used in that attack.

It is becoming more and more common for ransomware gangs to target managed service suppliers. A single attack on a managed service supplier can allow the hackers to attack hundreds of other companies, making the returns far higher.

A recent report published by Kaspersky Lab also confirmed that ransomware hackers are targeting backups and Network Attached Storage (NAS) devices to make it much harder for victims to rescue their files for free without meeting the ransom.

The most recent attack shows just how crucial it is not only to ensure that backups of all critical data are made, but why it is essential for at least one copy of a backup to be stored safely off site, on a non-networked device that is not accessible using the internet.