More than 100 dental practices have had essential files encrypted as a result of a ransomware attack on an IT service provider.
On November 25, 2019, the Englewood, Colorado-based IT firm Complete Technology Solutions (CTS) was attacked and its data was encrypted by Sodinokibi ransomware, aka rEvil. The firm was reportedly issued with a ransom demand of $700,000 in cryptocurrency for the keys to unlock the encrypted files. The firm refused to pay.
The attackers used the remote access tool CTS uses to access the systems of its clients. This allowed them to deploy their ransomware on its clients’ systems. Some of the affected dental practices have been able to recover their files from backups, but many still have systems out of action and have had to turn patients away due to the ongoing outages.
The companies that have started to recover their files had backups stored off-site. It would appear that many of the affected practices did not and have been forced to negotiate with the attackers to try to obtain keys to unlock their data.
The attack was reported by KrebsonSecurity, which made contact with several dental practices affected by the attack, along with some of the security companies that are helping them recover. One company explained that the remote access tool that was used did not require further authentication from the client before a connection could be established, which made attacks on its clients easy.
That may not be the fault of the IT company. Dental practices are often unwilling to pay for the protection they need and end up opting for the lowest cost and easiest to manage solution, even though that option may not equate to great security. This attack serves as a warning to others that you often get what you pay for, and when it comes to cybersecurity, paying the minimum amount is not usually the best policy.
Recovery is progressing for some, but there have been problems even after the ransom was paid. At least one company had to pay again when the decryptor only partially worked. It would appear that some practices have had multiple ransom notes saved to their devices and more than one extension has been used on encrypted files. The decryptors supplied therefore only worked on some of the machines. One affected practice had more than 20 ransom notes covering the 50 or so devices affected by the attack.
This is the second major ransomware attack of the year to hit multiple dental practices. In August, a ransomware attack on PerCSoft, a data backup solution provider for dental offices, was also attacked and Sodinokibi ransomware was installed. Around 400 dental practices were impacted by the attack.
Ransomware attacks on managed service providers are becoming much more common and it is clear to see why. Compromise the MSP and the attacker has access to the systems to most of its clients. That means a lot more ransoms are likely to be paid.
It was a similar story for the Wisconsin-based IT service provider Virtual Care Provider, Inc. It was attacked with ransomware on November 17, 2019. Ryuk ransomware was used but the effect was the same. More than 110 nursing homes were prevented from accessing patient records. In that attack, the service provider was issued with a ransom demand of around $14 million, which it could not afford pay.