Ransomware Version 2.0…A Real Game Changer

Kelsey CreehanFeatured News

By Gary Salman
From the Spring/Summer 2020 Journal of the Colorado Dental Association

During the last several months, there has been a significant paradigm shift in the cybersecurity world. Threat actors from Russia, in particular, have enhanced their capabilities to target individual businesses and Managed Service Providers (MSPs) or IT companies. In December 2019, hacking groups known as Sodinokibi (aka “The Evil Corp”) and Ryuk have been impacting thousands of dental practices across the U.S. in a multitude of ways.

In 2018, the FBI and Department of Homeland Security warned MSPs that certain threat actors were planning large-scale attacks against them. In August 2019, we saw the largest distributed ransomware attack encrypt and hold hostage the data of approximately 450 dental practices, impacting thousands of computers and servers. During Thanksgiving week in 2019, they hit 100 dental offices and then on Dec. 24, approximately 1,300 healthcare providers and financial institutions were victims. The ransomware encrypted almost every computer, server, external backup, cloud backup, etc., resulting in the inability to access any records, notes, appointments, x-rays or 3D images. Think about this for a minute. The second largest attack in our nation’s history was against our dental community; not the banks, large corporations, or hospitals. It was against the average dental practice. How does something like this happen? It is simple. The threat actors gain access to the IT company’s remote management tools that they use to access a practice’s computers and servers, they load their malicious code into the tool and instruct the tool to download and install the ransomware into every computer. Within minutes, they can strike tens of thousands of computers. These attacks typically occur during the early morning hours, so the first indicators of the attack are the employees’ inability to log in and access any information on the computers. The result is literally every single file and database encrypted with ransomware.

Top 10 Things Learned from a Cyberattack
(submitted by a CDA member dentist)

  1. Have an emergency plan written out and know who you are going to call if ransomware attacks your office.
  2. Hire a cybersecurity company to audit your IT company. It’s all about checks and balances.
  3. Obtain cyber breach insurance.
  4. Have a physical back-up of your data as well as the cloud and make sure that back-up works.
  5. Maintain a clean desktop policy. Do not save any patient data to the desktop and delete and empty the computer trash bin daily.
  6. Don’t accept CDs, or thumb drives from anyone. Have a separate computer or a non-networked way to access them when they are brought to your office.
  7. Train your team. They are your first and last line of defense.
  8. Don’t think this won’t happen to you.
  9. Know all your passwords and your software license information. 
  10. Understand that it is YOUR patient data and ultimately it is YOUR responsibility to keep that data safe. 

Based on some of the most recent attacks, most practices experienced a two-to-four-week outage.  In every case that we were involved with, the practice experienced 100% encryption on every device and backup. Due to the pervasiveness of the ransomware attacks, there was no recovery option except to pay the threat actors the ransom payment. Most practices had to pay, on average, $45,000 to the threat actors for a decryption tool. Add on top of that, the business interruption, inability to collect A/R, take x-rays, file insurance claims, schedule patients, and the complete rebuild or purchase of every computer and server.  The price tag for these types of attacks easily exceeds $100,000 for a small practice and significantly higher for multi-office, multi-provider practices. Being unable to access their systems for two-to-four weeks was a nightmare. As one dentist described, “It was like driving into my office parking lot only to find the foundation of my office left. Everything else was gone.”

Unfortunately, hackers are getting more malicious in their ransomware attacks. In December 2019, the threat groups Sodinokibi, Ryuk and Maze all announced that they were getting into the data theft and extortion business. As a means to ensure a ransom payment from the victim, these groups modified their malicious code to first steal (exfiltrate) all the data and then encrypt it. If their victim refuses to pay the ransom, the threat actors may release the data to a public website. In December 2019, this is exactly what happened in Pensacola, FL. The city refused to pay the ransom and the threat actors published two terabytes of data.  Even if your practice has valid backups and can recover from the attack, the data may still be released to the public if you fail to pay the ransom demand. Imagine your patient records, health history forms, lab reports, medications, etc. showing up on the internet. This would be a total PR and HIPAA nightmare for your practice and result in your practice’s reputation suffering greatly, not to mention the loss of trust from your patients and referrals.

What can you do to protect yourself, your practice and your patients? First, ask your MSP to provide you with documentation that their network is being independently audited and evaluated by a cybersecurity company to help prevent these types of attacks. Second, and now more than ever, dentists need to take a proactive approach to security. Keep in mind that nearly all your colleagues who were impacted by these attacks had an MSP, firewall, anti-virus software and the “promise” that they were being protected. They all lacked the expertise and advice of a dedicated cybersecurity company. The risk is just too great not to enhance the security posture of your practice, before you are the next victim. It’s not if it’s going to happen to you…but when.


Gary Salman is the CEO and co-founder of Black Talon Security, a company dedicated to data security and understanding the latest trends in the industry, particularly as they relate to the healthcare field. He has over 15 years as an instructor at West Point and he is also involved in law enforcement. Contact him at 800-683-3797 or gary@blacktalonsecurity.com.