Ransomware hits hundreds of dentist offices in the US

Ransomware group gains access to dental software backend, deploys ransomware on customers' systems.
Written by Catalin Cimpanu, Contributor

Hundreds of dental practice offices in the US have had their computers infected with ransomware this week, ZDNet has learned from a source.

The incident is another case of a ransomware gang compromising a software provider and using its product to deploy ransomware on customers' systems.

In this case, the software providers are The Digital Dental Record and PerCSoft, two Wisconsin-based companies who collaborated on DDS Safe, a medical records retention and backup solution advertised to dental practice offices in the US.

Company paid ransom demand

Over the last weekend, a hacker group breached the infrastructure behind this software, and used it to deploy the REvil (Sodinokibi) ransomware on computers at hundreds of dentist offices across the US.

The security breach came to light on Monday, when dentists returned to work, only to find out they couldn't access any patient information.

A source impacted by the ransomware tells ZDNet that the two companies opted to pay the ransom demand. The Digital Dental Record and PerCSoft have been sharing a decrypter with impacted dental offices since Monday, helping companies recover encrypted files.


The recovery process has been slow, as most ransomware recovery operations tend to be, with some dental offices claiming on a Facebook group that the decrypter either didn't work, or didn't recover all their data.

The Digital Dental Record and PerCSoft did not return phone calls or emails seeking additional information prior to this article's publication.

Has happened twice before

This incident is the third time a hacker group has compromised a managed service provider (MSP) and used its infrastructure to deploy the REvil (Sodinokibi) ransomware.

The first one happened in June, when a group breached several yet to be identified MSPs and used the Webroot SecureAnywhere console to infect customer PCs with REvil (Sodinokibi).

The second incident happened the weekend before the attack on DDS Safe. Hackers breached another MSP company and used its infrastructure to deploy ransomware on the IT network of 22 Texas counties (initially reported as 23).

In a report published today, Fidelis Security ranked REvil (Sodinokibi) as one of the most active and widespread ransomware strains this year, with a market share of 12.5%, fourth behind Ryuk, Phobos, and Dharma.

Ironically, The Digital Dental Record advertises DDS Safe on its website as a way to safeguard files from ransomware attacks.

Europol’s top hacking ring takedowns

Editorial standards