A Colorado company that specializes in providing IT services to dental offices suffered a ransomware attack that is disrupting operations for more than 100 dentistry practices, KrebsOnSecurity has learned.
Multiple sources affected say their IT provider, Englewood, Colo. based Complete Technology Solutions (CTS), was hacked, allowing a potent strain of ransomware known as “Sodinokibi” or “rEvil” to be installed on computers at more than 100 dentistry businesses that rely on the company for a range of services — including network security, data backup and voice-over-IP phone service.
Reached via phone Friday evening, CTS President Herb Miner declined to answer questions about the incident. When asked about reports of a ransomware attack on his company, Miner simply said it was not a good time and hung up.
The attack on CTS, which apparently began on Nov. 25 and is still affecting many of its clients, comes little more than two months after Sodinokibi hit Wisconsin-based dental IT provider PerCSoft, an intrusion that encrypted files for approximately 400 dental practices.
From talking to several companies hit and with third-party security firms called in to help restore systems, it seems that CTS declined to pay an initial $700,000 ransom demand for a key to unlock infected systems at all customer locations.
Thomas Terronez, CEO of Iowa-based Medix Dental, said he’s spoken with multiple practices that have been sidelined by the ransomware attack, and that some CTS clients had usable backups of their data available off-site, while others have been working with outside experts to independently negotiate and pay the ransom for their practice only.
Many of CTS’s customers took to posting about the attack on a private Facebook group for dentists, discussing steps they’ve taken or attempted to take to get their files back.
“I would recommend everyone reach out to their insurance provider,” said one dentist based in Denver. “I was told by CTS that I would have to pay the ransom to get my corrupted files back.”
“My experience has been very different,” a dental practitioner based in Las Vegas replied. “No help from my insurance. Still not working, great loss of income, patients are mad, staff even worse.”
There is one aspect of this attack which has massively complicated restoration efforts, even at practices that have negotiated paying the ransom demand: Specifically, two sources said that victim several offices were left with multiple ransom notes and encrypted file extensions.
As a result, the decryption key supplied by the attackers only unlocked some of the scrambled files, requiring affected dental practices to expend further time, effort and expense to obtain all the keys needed to fully restore access to their systems.
Gary Salman is CEO of Black Talon Security, a cybersecurity firm based in New York that assisted several CTS clients in the recovery process. Salmon said he wasn’t certain why the attackers chose to operate this way, but that the most likely explanation is that the attackers stand to gain more financially from doing so.
“For one network we recovered that had 50 devices in total, they had to turn in more than 20 ransom notes to fully recover,” Salman said, adding that the attackers may just be hedging against the possibility that different affected practices could save money by sharing the same decryption key. “In the end, [the attackers] are going to walk away with a lot more money than they would have gotten had [CTS] just paid the $700,000.”
Salman said the intruders seem to have compromised a remote administration tool used by CTS to configure and troubleshoot systems at client dental offices remotely, and that this functionality did not require additional authentication on the part of the client before that connection could be established.
“What a lot of these IT services companies do is have active sessions back to every single client computer, so that so when someone from a client calls the IT provider can log right in and resolve any of these issues,” he said.
“Many IT providers will use remote administration services that require a unique [one-time code] that the client has to type in before that remote session is initiated,” Salman continued. “But other [IT providers] don’t want to do that because then it’s harder for them to manage these systems after-hours or when the user is away from their system. But ultimately, it comes down to security versus ease-of-use, and a lot of these smaller businesses tend to move toward the latter.”
Medix’s Terronez said the dental industry in general has fairly atrocious security practices, and that relatively few offices are willing to spend what’s needed to fend off sophisticated attackers. He said it’s common to see servers that haven’t been patched for over a year, backups that haven’t run for a while, Windows Defender as only point of detection, non-segmented wireless networks, and the whole staff having administrator access to the computers — sometimes all using the same or simple passwords.
“A lot of these [practices] are forced into a price point on what they’re willing to spend,” said Terronez, whose company also offers IT services to dental providers. “The most important thing for these offices is how fast can you solve their problems, and not necessarily the security stuff behind the scenes until it really matters.”
Update, Dec. 8, 1:21 p.m. ET: Added additional perspective and details gathered by Black Talon Security.Also, an earlier version of this story incorrectly stated that the ransomware attack began this past week. Multiple source now confirm that the Sodinokibi ransomware was initially deployed in the early morning hours of Monday, Nov. 25, and that many victim dental offices are still turning away patients as a result of ongoing system outages.
What’s worse, getting your dental records encrypted with ransomware or getting a root canal ?
The latter sounds like the delivery method for a rootkit.
Oh, I totally agree. Dental offices are the worst regarding computer security. I recently went to my dental office and in the process of explaining some paperwork related stuff to me the receptionist turned her monitor so I can see the screen. I was shocked to realize that they were still running a version of Windows XP.
So I guess charging $200+ just for cleaning + quick exam is not enough to pay someone to do proper IT.
It’s not dental offices specifically, it’s their records management provider and their imaging providers.
Patterson still requires you have local admin privileges to run their Eaglesoft software. Their response when questioned about it is to “get better antivirus and a better firewall’
CareStream sets up their pano imaging software by disabling the firewall, disabling antivirus, disabling smart screen, and running as an administrator.
These companies are clueless.
Even worse on Carestream…they have a “workaround” for issues involving running the server software that involves admin credentials stored in the registry in plain text.
That would be their licensing key…which only runs when the server is logged in. Dumb idea, imo.
I helped an orthodontist with his IT setup many years ago. His software vendor had kindly spec’d out all the PCs that would be needed. Except I noticed the list was one short. So I inquired with the office staff and they said, and I quote “Ortho2 (their practice management software vendor) said we could use the server as a workstation.”
No amount of explanation on my part of why it was an extremely bad idea could get through to them.
It’s a sad fact that many of these niche software vendors have incredibly poor coding practices. They develop on systems using admin credentials and take shortcuts on security. Their programmers are not trained or proficient in best practices and it shows.
It’s not that the companies providing the software services are clueless. Rather that the people they work for, the dentist offices, are clueless. That allows them to get away with practices that would be criminally negligent in some more regulated industries, or if the dentist offices were less clueless and more demanding. Suing after-the-fact isn’t going to be operable for long. These service providers will simply file bankruptcy, reincorporate elsewhere, and leave everyone else holding the bag.
Dental EHRs, in both cloud-based and premises-based servers, are not only increasingly more expensive and increasingly more dangerous than paper, but they also require far more training and expertise than a working knowledge of alphabetical order. Yet digital offers dental patients NO TANGIBLE BENEFITS over paper. Just ask anyone.
EHRs are a billing tool which not only eliminates the cost of data entry for insurers, but leverages control of providers’ and patients’ treatment decisions by employing strategic complexities in receiving payment. All that digital offers dentists is convenience – expensive, dangerous convenience.
If Americans knew the truth, they would stick to paper dental records. The business of dentistry is simply not so complicated that it requires computerization. After all, a dentist bills for treatments involving only the lower 1/3 of the face, and since dentistry is so intricate, dentists can only safely treat a dozen or so patients a day – compared to 40 or more for physicians. Very large dental practices have thrived without computers for decades.
But.. but.. with film we have to wait for the xrays to develop Dr. Pruitt!
Disclaimer I’m a developer for a cloud-based dental management software that has not yet been featured on krebs.
I want to address a few things that you’ve said. First no tangible benefits. I can list a few — off-site backup, quickly looking up patient records, finding patients that have extra insurance and are due for a check-up, and all the business intelligence stuff you get by having your business on one platform.
> The business of dentistry is simply not so complicated that it requires computerization.
Are you sure? And, based on this reasoning do we *require* computerization anywhere?
There are very real risks that come with these systems — especially cloud-based because of how large the target is painted on successful cloud-based software providers. But these risks can be mitigated.
Name-drop your product. I’m always looking for something to replace Eaglesoft…especially if it’s web-based. We can drop $50k in Microsoft license BS every 3-5 years if we can move to a web-based system.
“Especially if it’s web based”…
This is exactly what I mean about clueless dental practices. Only the biggest idiots base their entire business record system on web based software. Name drop YOUR business so I can avoid it.
“I’m sorry, sir, but our ISP is down and we can’t access your records.”
“I’m sorry, Ma’am, but I’m going somewhere with more brains than this chicken dentist outfit.”
If EHR is so dumb, and paper is so great, tell me about the last backup of all those paper records.
You don’t backup paper? REALLY?
I know a local dentist that spent a hot Sunday afternoon drying all the legacy paper records on the sidewalk in front of her office. The AC system dumped a tray full of condensate into the storage room.
Her EHR records were completely unaffected.
> Her EHR records were completely unaffected.
…and I know a bunch of Colorado dentists who just had their EHR records demolished… 😉
There are substantial benefits to EHR vs paper records.
Start with eliminating the need to store physical copies of every patient chart, including all of the paperwork from each visit and every xray they’ve had taken. Some clinics have entire rooms dedicated to storing just their ‘active’ patients, with charts for inactive patients being boxed up and shipped out to a warehouse. It was no small task to pull patient’s charts ahead of each appointment, and to maintain those charts. Now, just type in the paitent identifiers and you have their entire history available instantly.
Digital records are also portable, both within a clinic/chain and between external clinics. A dentist can access the same patient records from their desk that the Hygienist is currently working with in the operatory, and review the patient’s history as well as their newly taken xrays before they go in to see the patient.
Let’s say that patient goes to a different clinic within the same group/chain next time they have a toothache. The new clinic has instant access to the entire patient record, even if that patient has never been seen at that location before. Now, maybe that toothache requires oral surgery or other treatment that the clinic doesn’t perform in house. Instead of making physical copies of the relevant records for the patient to take with them when you refer them to another provider, the records can be sent electronically with the referral. The outside provider has access and can review them in advance, saving time for everyone involved.
That’s just scratching the surface. Other benefits include improved accuracy, automation, reducing the chance for human error, faster claim processing and payment, the ability to maintain backups of the data, including offline and offsite backups…
If these clinics, or their service provider, had regular backups that were stored offline and offsite, they could have restored the data from just before the ransomware infection, and been back up and running the next day with the only loss being records created/updated after that backup was taken. Instead, they have now had their doors closed for over 2 weeks and counting.
If anything, the problem is that many medical and dental offices have been too slow to adopt EHR and take advantage of the benefits.
When the next Carrington Event occurs every practice that uses EHR without paper backups is out of business, period. I cut my milk teeth in semiconductor fabrication, specifically data conversion products. People just don’t realize how fragile electronics components are to something like EMP, whether man-made or natural. Paper can last thousands of years, manufactured correctly and kept correctly. How long is that hard disk surface good for?
Yes, and horses never run out of gas. There may be some logic to your argument, but it is largely irrelevant. Computers are here to stay.
–Terronez said the dental industry in general has fairly atrocious security practices–
Pick a profession–law, accounting, psychiatry, architecture…you name it. All have experts on the profession being practiced, but zero IT knowledge. I see this all the time. They’re all out there–sitting ducks for this kind of thing. They don’t take it seriously until it happens. How many have backed up to off-line storage?
I’ll take “Things that are worse than a root canal.” for $700,000 Alex!
I was at my Littleton, CO dentist about two weeks ago. Having read about the Wisconsin attack, I inquired with my long time dentist and his young hygienist as to their knowledge of ransomware attacks in general. They had no clue. I’m thinkin’ they might have one now…
These dentristries are all under HIPAA and should be reporting this as a breach unless specific circumstances permit an exception. I wonder, will they?
The other largely regulated industry, finance, has a lot more regular auditing to keep security practices in line. HIPAA needs to catch up. Granted it’s a daunting task given the healthcare landscape.
These Managed Service Providers are going to have to step up their game as well. They should have signed BAAs with the dentist practices. MSPs ought to have their own audits in place (i.e. SOC2, ISO27001, etc) to help ensure good security. A healthcare service should demand this during vendor selection.
What people don’t realize is that it takes more training and certification to become a plumber or electrician than it does to become a self proclaimed “IT Professional”, “Solutions Architect”, or MSP. I’ve even seen Amazon employed AWS certified individuals who are very successful in selling solutions yet lack a basic understanding of how systems work or how to secure them. This is why so many “breaches” are nothing more than misconfigured database instances or S3 buckets.
Those offices that must comply with HIPAA do have annual auditing requirements…ha…but…ha…the requirement for a risk assessment, well, that is a yes/no question.
It is a half a$$ed requirement.
A doc who gets it, does it right…or at least puts effort in to do it right.
The others just check the Yes box.
What was the attack vector? What platform/technology was the MSP using to manage these dental clients? Please don’t tell me it was just RDP!
It would appear that they are using ConnectWise Control (formerly Screen Connect) which has been leveraged in similar attacks.
Robert is right about IT security being a problem with most professions. They can outsource a lot of their work, but they themselves are ultimately responsible for their own security, and they don’t realize this until too late. I wonder if a small to medium professional outfit would be better off getting out of the cloud (as much as realistically possible) and doing more in-house. Perhaps they could either hire a permanent IT security guy/gal or have a REAL security consultant available on a regular basis.
Complete Technology Solutions LLC home page, “No other IT firm can touch our…range of experience…, or our ability to deliver technology solutions that work exactly the way you want them to [experience not keeping malware- ransomware from communicating with our network]”.
Robert Scroggins, “IT security being a problem with most professions”, including for this managed service provider for dental offices, and the MSP mentioned last month for nursing homes. I wouldn’t be content with the way these two companies recently ran MSP anti-malware intrusion.
Backdoor trojan Tofsee…Kryptik malware communicating with the Complete Technology Solutions mail service since September 5 2019, into their network:
From the article, Complete Technology Solutions “suffered a ransomware attack this week”. Malware communicaitons were detected three months before the attack.
I own a 2.5 doctor veterinary practice that used CTS.
We know veterinary medicine, not computers.
They consistently told us that they had to disable the firewalls on each computer in the office so that their system could work. They stated that they had “the best firewall in the industry in front of ” our server. For this, we were paying approx $700 a month.
If we did not have an on site data backup and paper charts, we would be wiped out.
None of our phone calls or emails have been answered by CTS. Herb continues to send out platitude-laden emails with no helpful content.
Thankfully, animals have no rights under HIPAA!
That may be true when refering to animal rights, BUT their owners, from whom you have collected full personal and financial information, do have rights. And that is the risk and responsibility of each practice to safeguard all the data contained in in the practice records…
I remember the simplicity of the “Peg-Board” systems and a locked safe…
> None of our phone calls or emails have been answered by CTS. Herb continues to send out platitude-laden emails with no helpful content.
That’s the down-side to an MSP. Most of them operate off the over-subscription model. Whereas a larger company might pay $50k/year for a full-time IT person, an MSP will sell you their ‘vast resources’ of multiple IT people for way less than $50k/year. Most of the time those IT people can bounce back and forth between a bunch of clients that pay more than enough combined to cover their salary.
…but when something massive like this happens, every customer needs their over-subscribed IT person immediately, and the MSP model collapses. Hell-the MSP might be infected too and have no access to their customer data or their tools to even start helping you.
Best of luck to you Dr. Mark in digging out of this mess.
CTS BS’d you completely about disabling local firewalls, all they needed was their app, or IP and ports white listed. They lied to you to save time implementing their product.
Glad you has some of your own records backed up.
It wouldn’t have helped, the white listed app WAS the infection vector. 1 time use code, client side allow , some form of alternate auth would have slowed it down. As the article said. This was convenience over security, and it bit them hard. Anyone want to wager the remote access utility was built with security settings but they were disabled as too time consuming?
Proper IT support may cost more than the $700 you’re spending for the amount of computers you have. Just because you believe you’re spending a lot of money does not make it true. Were you given higher quotes from competing MSPs and go with the lowest cost, or were you shopping for one based on the security the provide? I know that dental MSPs are usually about half the cost of a normal MSP. You get what you pay for, and some people just don’t want to pay what it costs to actually secure their networks.
They consistently told us that they had to disable the firewalls on each computer in the office so that their system could work. They stated that they had “the best firewall in the industry in front of ” our server. For this, we were paying approx $700 a month.
“Disabling your firewall so our product will work” and “our product requires administrator access” means you don’t know how to code. Period. Good programming shops should never give their coders admin access so that their programs don’t require admin access.
Working in state and local government for three decades, I ran in to this time and again. We were usually able to suss out the permissions needed so that the software would work under a non-privileged account. And the firewall thing? You can trace out the specific ports the program needs, and the vendor should provide that particular information and how to adjust the firewall settings or their techs should do it for you when they install the product.
But blanket disabling of firewalls? No way. Time to find a properly written product.
> Time to find a property written product
I challenge you to find one in the dental space. They don’t exist
Perhaps that means there a nice $100 bill lying on the ground some enterprising, and competent young coders can pick up.
Not true. I support many dental offices in Canada that use a few different practice management software programs. None of which require local admin access or Firewalls to be disabled.
Maybe your MSP just doesn’t care enough to find out how to manage your network correctly.
“But blanket disabling of firewalls? No way. Time to find a properly written product.”
How does one go about doing that? Even as an IT pro, many decisions to go with product “X” over product “Y” are made by the docs or other management. When I talk to vendors about the product(s), I rarely get anyone technical enough to know what a firewall or admin rights are. You would likely find out about this stuff during implementation but that also means you already made a commitment to the product you are implementing.
I have supported an EHR product since 2000 or so. There was a time when admin rights were required even on a Citrix server! We finally got to a point where admin rights are only required for taking a picture of a patient a certain way but there is a workaround. They always blamed Windows/TWAIN implementation for the problem but the bottom line is that I never had the ability to tell the companies I worked for to tear out the system and go with a new one. This product does not work if you enable the windows firewall, BTW. The closest I ever got to getting that done is that “you are on your own and can try to do it if you want”. This is much better than “you have windows firewall enabled so you are unsupported” but still-I have no windows client firewalls.
Sounds like a really stupid twain implementation which scanned to effectively a system folder.
Here’s a different driver with a slightly worse implementation:
It does seem to be pretty epidemic.
I am concerned that other industries (like public utilities) have service providers that continue to deploy software that was designed for a threat environment from the 1980s.
CTS was compromised by a weak Connectwise Control password and no 2FA enabled. To make matters worse, they used the same password for their backup platform (Acronis, which didn’t have 2FA at the time, does now). So the attacker encrypted all their client’s devices at the same time that they deleted everyone’s backups. Another layer of making matters worse… They hadn’t uninstalled agents on former clients, so people that had fired them also got encrypted (though luckily had a decent backup).
Source: We’ve picked up many of their clients. Throwaway because not trying to make enemies – just want to put out a warning to make sure you and your staff don’t make similar mistakes.
I’m getting so tired of the stupidity of business ignorance of this kind of security, that I just don’t care anymore! Let them eat cake!!
Another RAT? Mice are easier to sneak in.
Good write-up. Excellent story,well done. Kudos to those dentists for improvements to their office management. Unlike being at their training colleges, their office has little it support. Their first hint should have been xp. But their interest, is dentistry and it’s improvements, not os safety. Just as a plumber or a steelworker should be interested in their profession. I’m hoping, that one of those dentists, or the provider company thought of turning one of the affected systems over to an investigator. To backtrack the system, after all interfeering with commerce?
It appears some have, as the guy from Black Talon talks briefly about this.
I predict many more ransomware attacks. Right now, the fight is very lopsided. So many “IT service providers” are weaklings when up against the strength of professional ransomware fighters.
Whether using remote administration tools or cloud-based systems, I foresee many service providers, and their clients, getting beaten to a pulp…until there is a lot more hard work and training done to make it a fair fight.
Brian…are you aware of any suitable replacement for a home user who uses CYBEREASON RANSOMFREE? If I am not mistaken, you had previously mentioned the use of this product. However, the developers have discontinued the ‘free’ version.
Are the alternative versions embedded in Norton Internet Security for example sufficient to thwart these types of attacks discussed above? Thanks in advance..
I’m not a representative of this product or anything Brian may have pointed out in previous articles; but I have tested what is essentially a batch file that was put out on bleepingcomputer when ransomware 1st became a problem; the author called his company Foolish-IT and called it CryptoPrevent.
As far as I could tell the free version which was completely supported as long as it was for personal use, used MMC control policy settings and registry edits to block permissions for anyone to use encryption without being in a special Administrative Group.
I tested this extensively as ransomware evolved and successfully blocked each and every attack in my tests. However, the free personal version is no longer supported – so one would have to buy it from the company that bought out Foolish-IT The prices look very reasonable, but I have no idea of the reputation of the new company, even though Major Geeks still presents the old file online.
I keep my systems backed-up and separate from any network, so I quit testing it because I didn’t want to spend the money . Besides I have a lifetime license for Malwarebytes Anti-malware that supposedly can thwart ransomware, but I don’t have the guts to actually test it for verification. I’ve been getting out of the old honey pot lab practices, and just watch from the sidelines now.
Our Screen Connect server was attacked on November 12th, so we moved on to another product. During the attack, we detected and blocked the following subnets:
220.127.116.11/16 (Troms Fylkeskommune, NO)
18.104.22.168/16 (SAKHALIN ENERGY INVESTMENT COMPANY LTD., RU)
22.214.171.124/8 (China Mobile Communications Corporation, CN)
126.96.36.199/8 (APNIC Debogon Project, AU)
188.8.131.52/8 (CHINANET FUJIAN PROVINCE NETWORK, CN)
184.108.40.206/29 (Kintiskton LLC, US)
220.127.116.11/24 (Charter Communications, Inc, US)
18.104.22.168/8 (CHINANET Guangdong province network, CN)
compromised machines at all those places…
How was your screen connect server attacked? Did they gain access? did you have up to date OS and screenconnect patched? My understanding it screen connect is fine as long as its the latest and os is patched and you have strong passwords and 2fa. please shed some light
search online for shadow hard drive or ghosting hard drive tools/programs, if there is a way to interrupt the re-boot sequence of any affected machines, you may be able to run a shadow hard drive program and recover many of the documents up to 24 hours prior to the ransomware attack. I’m not sure how well it works for server infrastructure, but have run it before on an individual computer level at work that had been infected with ransomware and had all the files intact up to 24 hours prior to the corruption. Downloaded and saved them separately, then just junked the rest of the data for lost. At least it’s generally 99% of the data recovered.
Even in situations where the dental office has competent IT resources available to them and a willingness to spend what is necessary to secure their systems, dental offices can find themselves blocked in their efforts by the vendors of the software they use. Like much industry-specific software, the programs are terrible and will very typically have requirements like using old versions of IE or even Flash. A friend of mine runs an IT business and has some dentists and other medical offices as clients, and he shares with me some of the things he finds. When troubleshooting one bit of software that wasn’t working it was discovered that the software’s update process used HTTP to blindly pull an EXE which it then used. It didn’t even checksum the file or check if the transfer succeeded. It was presently broken because the transfer had failed, and it dutifully replaced the main executable with a zero-length file. But we took a poke at the link it was trying to pull from. It ended up being a world-wide-open directory on their webserver. Which contained full versions of all of their software, along with tons of internal files for the company with full customer lists, contracts, everything you could imagine. All available for download. Just one example of the gross negligence and ignorance that is bog standard when you’re dealing with industry-specific software vendors.
Dentist rode hoverboard while removing a patient’s tooth: prosecutors
Eye for an eye, tooth for a tooth, we’ve got to call Moses on this one. The mutilation, mayhem and malicious disfigurement committed by dentists on such grand scale only serves to justifies any means to end their vicious practices.
US needs a new federal law “It is a crime to pay a ransom / aka engaging in criminal activity / transferring funds to a criminal enterprise”, otherwise this will just keep happening…
U Remember 90? It was racketeering
Now same way but with high Tech
payment method ? how did they payed their ransome? by bitcoins?
if with bitcoins then bitcoin price will fall down soon.
coz criminals control bitcoin and bitcoin price
IT hardware, software, staff, and support are considered line item liabilities by all businesses. They are always the “lowest possible cost option”. Very few, if any, industries or companies consider IT important enough to do ANYTHING more than the minimum required for basic operation.
I’ve done work on my own dentist’s computer systems in the past, and he’s always insisted the entire system have no access to the internet at all. This is why, because of crap like ransomware, and the risk of hackers obtaining personal client information.
Rather than paying ridiculous fees for IT security services, I recommend other dentists do the same and ditch web based systems altogether. There is plenty of software out there that can do your bookkeeping for clients without any internet service required.
We need the NSA to find these hackers and Seal Team 6 to make a house call …