Ransomware at Colorado IT Provider Affects 100+ Dental Offices

A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.

Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service.

Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up.

The attack on CTS, which apparently began on Nov. 25 and is still affecting many of its clients, comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices.

From talking to several companies hit and with third-party security firms called in to help restore systems, it seems that CTS declined to pay an initial $700,000 ransom demand for a key to unlock infected systems at all customer locations.

Thomas Terronez, CEO of Iowa-based Medix Dental, said he’s spoken with multiple practices that have been sidelined by the ransomware attack, and that some CTS clients had usable backups of their data available off-site, while others have been working with outside experts to independently negotiate and pay the ransom for their practice only.

Many of CTS’s customers took to posting about the attack on a private Facebook group for dentists, discussing steps they’ve taken or attempted to take to get their files back.

“I would recommend everyone reach out to their insurance provider,” said one dentist based in Denver. “I was told by CTS that I would have to pay the ransom to get my corrupted files back.”

“My experience has been very different,” said dental practitioner based in Las Vegas. “No help from my insurance. Still not working, great loss of income, patients are mad, staff even worse.”

There is one aspect of this attack has massively complicated restoration efforts, even at practices that have negotiated paying the ransom demand: Specifically, two sources said that victim several offices were left with multiple ransom notes and encrypted file extensions.

As a result, the decryption key supplied by the attackers only unlocked some of the scrambled files, requiring affected dental practices to expend further time, effort and expense to obtain all the keys needed to fully restore access to their systems.

Gary Salman is CEO of Black Talon Security, a cybersecurity firm based in New York that assisted several CTS clients in the recovery process. Salmon said he wasn’t certain why the attackers chose to operate this way, but that the most likely explanation is that the attackers stand to gain more financially from doing so.

“For one network we recovered that had 50 devices in total, they had to turn in more than 20 ransom notes to fully recover,” Salman said, adding that the attackers may just be hedging against the possibility that different affected practices could save money by sharing the same decryption key. “In the end, [the attackers] are going to walk away with a lot more money than they would have gotten had [CTS] just paid the $700,000.”

Salman said the intruders seem to have compromised a remote administration tool used by CTS to configure and troubleshoot systems at client dental offices remotely, and that this functionality did not require additional authentication on the part of the client before that connection could be established.

“What a lot of these IT services companies do is have active sessions back to every single client computer, so that so when someone from a client calls the IT provider can log right in and resolve any of these issues,” he said.

“Many IT providers will use remote administration services that require a unique [one-time code] that the client has to type in before that remote session is initiated,” Salman continued. “But other [IT providers] don’t want to do that because then it’s harder for them to manage these systems after-hours or when the user is away from their system. But ultimately, it comes down to security versus ease-of-use, and a lot of these smaller businesses tend to move toward the latter.”

Medix’s Terronez said the dental industry in general has fairly atrocious security practices, and that relatively few offices are willing to spend what’s needed to fend off sophisticated attackers. He said it’s common to see servers that haven’t been patched for over a year, backups that haven’t run for a while, Windows Defender as only point of detection, non-segmented wireless networks, and the whole staff having administrator access to the computers — sometimes all using the same or simple passwords.

“A lot of these [practices] are forced into a price point on what they’re willing to spend,” said Terronez, whose company also offers IT services to dental providers. “The most important thing for these offices is how fast can you solve their problems, and not necessarily the security stuff behind the scenes until it really matters.”

Update, Dec. 8, 1:21 p.m. ET: Added additional perspective and details gathered by Black Talon Security.Also, an earlier version of this story incorrectly stated that the ransomware attack began this past week. Multiple source now confirm that the Sodinokibi ransomware was initially deployed in the early morning hours of Monday, Nov. 25, and that many victim dental offices are still turning away patients as a result of ongoing system outages.