Over 400 U.S. Dental Practices Impacted by REvil/Sodinokibi Ransomware Attack

Because a medical record backup service was attacked by ransomware, hundreds of dental practices across the U.S. could not access their patients’ files.

The REvil/Sodinokibi ransomware attack on August 26, 2019 impacted the DDS Safe backup solution provided by Digital Dental Record (DDS), a software firm based in Wisconsin. Access to the DDS system was acquired through an attack on PerCSoft, its cloud service provider based in West Allis, WI. The incident was contrary to what DDS is claiming that DDS Safe protects dental practices against ransomware attacks. The attack didn’t impact all dental practices, only 400 to 500 of the 900 dental practices using the DDS Safe backup solution.

PerCSoft, with the help of a third-party software firm, acquired a decryptor and is working on the recovery of the encrypted files. Based on a report from DDS, it takes 30 minutes to 4 hours to recover files per client.

A number of dental practices said that the attack caused some files to be lost and others said that the decryption process failed. Because the attack happened close to the end of the month, certain dental practices have expressed the possibility of not being able to process payroll payments. At this time, about 100 dental practices have already recovered their patient records.

It is very likely that the ransom was paid given that no free decryptor for REvil ransomware is available from the NoMoreRansom project. That information is not confirmed publicly, though Krebs on Security’s Brian Krebs mentioned a number of sources say that PerCSoft paid off the ransom to get the decryptor.

There is no report about the ransom amount, but a Reddit user remarks that PerCSoft or its insurance provider spent $5,000 for each client for the decryptor. So the total ransom demand could be as much as $2.5 million, which is the ransom demand for the Sodinokibi ransomware attack in Texas at the beginning of this month.

The two attacks affected a number of entities by targeting a software system provider or managed service provider (MSP). This seems to be the tactic of the threat actors responsible for the attack. There was also an attack in June on MSP Webroot SecureAnywhere, which made it possible for REvil/Sodinokibi ransomware to impact its clients’ systems.

The threat actors responsible for the REvil ransomware are operating a ransomware-as-a-service campaign using a restricted number of affiliates to circulate the ransomware, with the hope of staying under the radar.

The threat actors are trying to recruit affiliates on hacking forums. Five recruits were guaranteed $50,000 earnings. Other affiliates were assured of earning at least $10,000. The threat actors offer 60% of the ransom payments generated to affiliates.

The code for REvil ransomware is considerably different from other ransomware variants. But Tesorion researchers noticed code resemblances with the GandCrab ransomware that was recently retired. It’s possible that some of the people engaged in GandCrab may be involved or responsible for the REvil ransomware.

Irrespective of who are the threat actors, they are less likely to stop such a profitable campaign sooner. If businesses and their insurers continue to pay ransom demands, the attacks will persist.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone