Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Ransomware Attack Impacts Hundreds of Dental Practices

After Vendor Systems Crypto-Locked by Malware, Practices Await File Restoration
Ransomware Attack Impacts Hundreds of Dental Practices
Ransom note for Sodinokibi ransomware, which has been tied to an attack that disrupted hundreds of dental practices' operations (Source: Malwarebytes)

A ransomware attack on a cloud services provider has affected hundreds of U.S. dental practices.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The attack targeted West Allis, Wisconsin-based cloud services provider PerCSoft - which collaborated with its software partner, Digital Dental Record, on DDS Safe, a dental records and patient information back-up system.

In a statement, Digital Dental Record says that on the morning of Aug. 26, it learned that “ransomware had been deployed on the remote management software our product uses to back up client data.”

The statement adds: “Immediate action was taken to investigate and contain the threat. Our investigation and remediation efforts continue. Unfortunately, a number of practices have been and continue to be impacted by this attack”

Digital Dental Record says it's working with clients and PerCSoft to restore files. “Restoration is a slow and methodical process that could take several more days to complete. Additionally, we are actively communicating with clients to answer questions, facilitate contact with appropriate insurance carriers and address other business concerns.”

The company adds that it’s working with law enforcement officials on the investigation of the incident.

Dental Association Offers More Details

The Wisconsin Dental Association issued a statement on Thursday updating its members about the attack, saying that DDS Safe is a “WDA endorsed product” that is part of the WDA Insurance & Services Corp.

”WDAISC learned that ransomware had been deployed on the remote management software DDS Safe uses to back up client data. PerCSoft, the IT vendor for DDS Safe, took immediate action to contain the threat; however, roughly 400 practices around the country lost access to electronic files as a result of the virus,” the statement says.

The dental association’s statement adds: “PerCSoft assures us it is working to restore files as quickly and completely as possible, but restoration is a slow and methodical process that could take several days to complete.”

WDAISC “is working diligently to fully investigate the situation and ensure it has been contained,” the dental association says. “It is also working with the FBI’s cybercrime unit as part of the investigation and response.”

The association adds that “only a small percentage of the affected practices are in Wisconsin, and WDAISC and PerCSoft have been in touch with most of them.”

PerCSoft, Digital Dental Record and the Wisconsin Dental Association did not immediately respond to Information Security Media Group’s requests for comment and additional details about the incident.

Advanced Ransomware Strain?

According to security blogger Brian Krebs, the ransomware attack involved an “extremely advanced and fairly recent strain known variously as REvil and Sodinokibi.”

REvil/Sodinokibi is one of the most prominent ransomware families on the spectrum right now, says Max Henderson, senior security analyst and incident response lead at security consulting firm Ponderance. ”It was likely authored in Eastern Europe, as open-source analysis has revealed that it checks the keyboard language and exits if it is set to a specific language - for example Russian,” he notes (see Ransomware: As GandCrab Retires, Sodinokibi Rises).

The delivery mechanism for this particular type of ransomware varies widely, which shows the adversary is capable of adapting, he adds. "The author and actors behind this malware have exploited public-facing servers and have reportedly leveraged exploits for local privilege escalation and lateral propagation, which supports the need for a swift identification and remediation patch management program.”

PerCSoft reportedly paid a ransom, although it is not clear how much was paid, Kreb says. Some affected dental offices have reported that the decryptor from the attackers did not work to unlock at least some of the files encrypted by the ransomware, he adds.

So, why might a decryptor work for some clients’ impacted by the ransomware attack, but not others?

”The encrypt/decrypt tools are not exactly off-the-shelf software and often have bugs and issues,” says Caleb Barlow, CEO of security consultancy CynergisTek. ”That said, remember that ransomware is a business, and it is in the best interest of the adversary to ensure your files can be unlocked if you pay. If it does not work, their reputation suffers and future victims are less likely to pay.”

Although in many ransomware incidents, it's common for victims to communicate with the adversary to ask questions and even get support, Barlow says, " this is not a do-it-yourself exercise, and the best plan is to bring in a highly skilled incident response team that can help you through the process.”

Vendor Risk

A number of ransomware attacks have targeted vendors serving healthcare clients.

Earlier this year, Doctors Management Services, a West Bridgewater, Massachusetts-based medical billing services firm, revealed that a GandCrab ransomware attack affected 38 of its HIPAA covered entity clients and 207,000 of their patients.

Doctors Management Services said it was able to recover from the ransomware attack through using backups and did not pay a ransom.

An attack in June 2017 on medical transcription services firm Nuance involving NotPetya ransomware disrupted services to some clients for weeks as vendor recovered.

”With businesses rapidly moving workloads to the cloud, the security posture of the cloud provider has a direct impact on the integrity of data,” Barlow notes. ”Vendor security assessments need to include not only technical scanning but also comprehensive interviews of the vendor to understand their skills, procedures and response plans as it relates to a security incident."

Cloud vendors must be able to demonstrate that they not only have their “runbooks” in place for a variety of security incidents but also that they have simulated their response plans leveraging everyone from their security team to their senior executives, he adds.

In a recent ransomware attack in the dental sector not involving a vendor, Maitland Dentistry, a Maitland, Florida-based dental practice, discovered on July 17 that a ramsomware attack targeted a computer running the practice's QuickBooks accounting software.

The practice refused to pay a $10,000 cash ransom demanded by the attackers, and it worked with an accountant to restore five months of lost data, says dentist Carl Bilancione.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.