An Englewood, CO-based Complete Technology Solutions (CTS) Colorado IT firm that specializes in supplying managed IT services to over 100 dentist practices has been infiltrated as part of a ransomware attack.
Indications are that attack was initiated at the end of November. KrebsonSecurity published a report that revealed CTS was sent request for $700,000 in ransom money. This payment was to be made in order for the keys to unlock the encryption. However, the company opted not to pay the ransom.
The attack was made on CTS’ remote access tool, this was created to allow staff to logon to their systems. That remote access tool was targeted by the cybercriminals who were able to use it to log onto the database including all the systems of all its clients and spread Sodinokibi ransomware.
Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are sending patients elsewhere thanks to ongoing system outages.
KrebsonSecurity has released a report that says that some of those dentist clinics are trying to do a deal with the cybercriminals to obtain keys to recover their own data.
Recovery has been complicated in some cases due to multiple ransom notes and file extensions, which has meant it has only been possible to recover some of their encrypted data after paying the ransom demand. The result of this has been that these companies have had to pay again for more keys to unlock the encrypted files. Black Talon Security told KrebsonSecurity that one dental center had 50 devices encrypted and was sent in excess of 20 ransom notes. A number of payments had to be completed to recover their records.
The attack is similar to the one that was carried out at the Wisconsin firm PerCSoft, through which around 400 dental centers were attacked with ransomware in August 2019. PerCSoft provides digital data backup services for dental centers. Sodinokibi ransomware was also deployed in that attack.
It is becoming more and more common for ransomware gangs to focus on managed service providers. Just one attack on a managed service provider can allow the cybercriminals to attack hundreds of other companies, making the returns far greater.
A recent report by Kaspersky Lab also revealed that ransomware cybercriminals are focused on backups and Network Attached Storage (NAS) devices to make it much harder for victims to recover their files, at no charge, without meeting the ransom.
The latest attack in just another warning about how vital it is to ensure that backups of all important data are completed, but why it is essential for at least one copy of a backup to be stored securely off site in an external location, on a non-networked device that is not accessible via the internet.