Ransomware gang breach data backup software used by hundreds of US dental offices

Ransomware gang breach data backup software used by hundreds of US dental offices
Credit: Unsplash

Hundreds of dental offices across the US have been crippled by a ransomware attack targeting a remote data backup service offered by a third-party.

PerCSoft and Digital Dental Record (DDR) — the two Wisconsin-based software companies — provide a solution called DDS Safe that delivers triple-layer protection by backing up sensitive medical records to the cloud, an offline workstation, and an in-office hard disk drive.

The irony here is that the attackers managed to breach this very infrastructure over the last weekend to deploy REvil (aka Sodinokibi) ransomware package on compromised devices. Interestingly, the strain is also responsible for the recent wave of infections across 23 local Texas agencies.

DDR was alerted to the attack on the morning of August 26, with roughly 400 dental practices across the country that rely on DDS Safe having their files locked out by the ransomware.

“Immediate action was taken to investigate and contain the threat. Our investigation and remediation efforts continue,” said Mark Paget, executive director of DDR. “Unfortunately, a number of practices have been and continue to be impacted by this attack.”

Digital Dental Record advertising DDS Safe on its website

PerCSoft owner Percy Chaby said in a Facebook update that the company has a decryption software at hand that it’s passing along to impacted clients to restore the files. But it didn’t elaborate on how it got hold of the decryptor — implying it paid the ransom to the threat actors. About 100 offices have had their records restored so far.

Security researcher Brian Krebs shared a screenshot of what appeared to be a conversation between PerCSoft and an affected dental office, in which the company said it was indeed paying the ransom. It’s not clear how much the attackers had demanded.

Neither company has publicly admitted to paying the ransom, at least yet.

The development comes as ransomware attacks targeting organizations and state-run facilities are proliferating, with the US accounting more than half of the detections around the world.

In a report published by cybersecurity firm Fidelis yesterday, REvil emerged as the fourth popular strain of ransomware (12.5 percent) employed by cybercriminals after Ryuk (23.9 percent), Phobos (17 percent), and Dharma (13.6 percent).

The incident is also the second time a managed service provider has been compromised to install ransomware on customers’ systems.

But news of companies simply yielding to extortion demands is symptomatic of a wider problem that’s enabling bad actors to mount more of these attacks, and on a larger scale.

A recent ProPublica investigation revealed how insurance companies are fueling the rise of ransomware threats by covering the cost minus a deductible — which is usually far less than the ransom demanded by attackers.

With hackers particularly going after companies that they know have cyber insurance, it has led to the advent of incident response firms that provide “cyber extortion negotiation services” and help companies recover data post infection.

“By rewarding hackers, it encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies,” the report said.

Read next: Silly scammers attempt Bitcoin ATM fraud with homemade ‘out-of-order’ signs