Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed on their networks.

The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom.

In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware.

Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to ongoing system outages.

KrebsonSecurity reports that some of those practices are trying to negotiate with the attackers to obtain keys to unlock their own data.

Recovery has been complicated in some cases due to multiple ransom notes and file extensions, which has meant it has only been possible to recover some of their encrypted data after paying the ransom demand. That has meant paying again for further keys to unlock the encrypted files. Black Talon Security told KrebsonSecurity that one dental practice had 50 devices encrypted and received more than 20 ransom notes. Multiple payments had to be made to recover records.

The attack is similar to the one that was conducted on the Wisconsin firm PerCSoft, through which around 400 dental offices were attacked with ransomware in August 2019. PerCSoft provides digital data backup services for dental offices. Sodinokibi ransomware was also used in that attack.

It is becoming increasingly common for ransomware gangs to target managed service providers. A single attack on a managed service provider can allow the attackers to attack hundreds of other companies, making the returns far higher.

A recent report by Kaspersky Lab also confirmed that ransomware attackers are targeting backups and Network Attached Storage (NAS) devices to make it much harder for victims to recover their files for free without paying the ransom.

The latest attack shows just how important it is not only to ensure that backups of all critical data are made, but why it is essential for at least one copy of a backup to be stored securely off site, on a non-networked device that is not accessible over the internet.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.