The attackers managed to breach DDS Safe backup platform used by multitude Dental practices all across the US
Sodinokibi ransomware has hit multiple dental practice offices over the weekend, and multiple dentists found their computer data locked once they turned up to work on Monday. Around 400 of dental practices were affected by the attack, all of which used DDS Safe remote management software – an online backup platform used for the retention of medical records, insurance documents and other personal data of the customers.
Hacker gang managed to breach popular software and deploy ransomware on the clients' systems – disrupting the work of hundreds of dental offices. DDS Safe, which is a backup service developed by PercSoft and Digital Dental Record, is one of several platforms that Sodinokibi recently used to infect various major sectors in the US. As it was later stated, the breach occurred due to the platform's cloud management provider getting compromised.
DDS and PercSoft immediately took actions to contain the infection and started active communication with the infected customers. Additionally, the company also contacted the appropriate forensic investigation teams along with the law enforcement, including the FBI, to help with the investigation:
The safety and security of the technology solutions we provide our clients is always our top priority. In conjunction with law enforcement, we are actively investigating the incident and will provide more information when we are able.
PercSoft paid the ransom to cybercriminals in order to start the restoration process for the victims
PercSoft, being the provider for the platform that allegedly is meant to protect clients from such-like ransomware attacks, ended up being the reason those clients were infected in the first place. The situation is indeed unpleasant for both parties, and PercSoft understands that they need to fix it as soon as possible.
Since a free decryption tool for Sodinokibi ransomware (also known as rEvil) does not exist, there is no other way to decrypt the files unless a ransom is paid to the malicious actors behind the malware. Although there was no indication of actually paying the ransom in the PercSoft's statements or Facebook posts, the company claimed to be actively working on retrieving the data of the affected customers:
PerCSoft assures us it is working to restore files as quickly and completely as possible, but restoration is a slow and methodical process that could take several days to complete.
However, screenshots of conversations between victims and the responsible parties began floating on Facebook. One client showed the regret of getting the subscription of the platform, which consequently disrupted the business and cost much money. PercSoft representative then replied that the ransom is paid by the company so that the decryption can be conducted to those affected.
Since Monday, PercSoft is actively working on restoring clients' data and bringing them back on track, although the process still seems to be ongoing.
The insurance scheme might explain the massive ransom payment rate
Because the number of the affected practices is so high, the decryption process has still not finished as of Friday. It is yet unknown how many practices are still out of work, but, according to victims' reports on Facebook, the decryption tool did not work at all, or failed to recover all of the affected data.
According to independent news publisher ProPublica, the number of organizations and governmental institutions which agree to pay the ransom is so high in the US is the insurance policy, which consequently covers all the costs. Therefore, paying the ransom ens up being much cheaper than dealing with the aftermath of the ransomware attack.
Unfortunately, this type of scheme fuels ransomware developers to infect more and more companies in the US, as they are more likely to agree to pay. Just recently, Sodinokibi attacked 22 governments of Texas, and in June the hackers breached Webroot SecureAnywhere console to infect thousands of its users with ransomware and lock their files.