[BreachExchange] Ransomware Hits Another IT Vendor, Impacting 100 Dental Providers

Destry Winant destry at riskbasedsecurity.com
Thu Dec 12 10:01:42 EST 2019


December 09, 2019 - Complete Technology Solutions, a Colorado-based IT
service vendor for dental practices, recently fell victim to a
ransomware attack, which spread to at least 100 of its dentistry
practice clients, according to Krebs on Security.

CTS provides those clients with various services, including data
backups, network security, and vice-over-IP phone service.

Several clients of CTS reached out to Krebs to report the ransomware
variant known as Sodinokibi was installed on more than 100 dentistry
businesses. Sodinokibi is a malware variant known to target IT managed
service providers and their clients. A Coveware analysis showed the
ransomware also targets larger organizations or their distributed
networks through their IT MSPs or hosting internet service providers.

The attack appears to have started on November 25, where it appears
the hackers compromised a remote administration tool used to remotely
configure and troubleshoot client offices. The function did not
required further authentication by the client to gain access.

CTS declined to pay the ransom demand of $700,000 to unlock data at
all impacted client offices.

Many providers are still reporting outages and are operating under
downtime. Some dental providers are attempting to regain access to
data from usable, offsite backups, but others are working with outside
security experts to negotiate with the hackers to pay a ransom to
decrypt the files of their own dental office.

Reportedly, hackers left multiple ransom notes and encrypted file
extensions at some of the infected offices, which is complicating
restoration efforts. For example, one victim with 50 total infected
devices received 20 ransom notes.

For now, the attack is still ongoing and many of the impacted offices
are continuing to turn away patients as a result of the system

CTS did not respond to a request for comment by time of publication.
This story will updated if more information becomes available.

The CTS cyberattack comes just months after a similar attack on
another dental vendor, Digital Dental Record and PerCSoft. In August,
a ransomware attack on the vendors’ cloud remote management software
spread to at least 100 connected dental providers, which locked those
victims out of their medical records.

The attack lasted for more than a week, as victims attempted to unlock
files using the decryptor provided by the vendor.

The CTS event also bear hallmarks to the November ransomware attack on
the IT vendor Virtual Care Provider, which impacted more than 110
nursing homes and acute care facilities.

Hackers continue to launch ‘disruptionware’ attacks, where threat
actors attempt to disrupt business and continuity through malware
designed to halt operations, damage reputations, extort money, or
other malicious activites.

“For OT environments, disruptionware is particularly devastating when
it sequesters mission-critical systems and legacy systems that lack
redundancy,” according to the Institute for Critical Infrastructure

“Ransomware is currently the most common disruptionware component,
with incidents such as the LockerGoga ransomware campaign
demonstrating that even unsophisticated malware has the capacity to
bring businesses to a halt,” they added.

In light of the increase of these targeted attacks, the Office for
Civil Rights recently shared HIPAA-compliant techniques that can help
shore up healthcare defenses. And as threat detections on healthcare
endpoints have jumped 60 percent this year, so far, Malwarebytes
recently stressed the need for better incident response planning and
improved detection technology.

More information about the BreachExchange mailing list