Ransomware Bites Dental Data Backup Firm

Aug 19

Ransomware Bites Dental Data Backup Firm

PerCSoft, a Wisconsin-based company that manages a remote data backup service relied upon by hundreds of dental offices across the country, is struggling to restore access to client systems after falling victim to a ransomware attack.

West Allis, Wis.-based PerCSoft is a cloud management provider for Digital Dental Record (DDR), which operates an online data backup service called DDS Safe that archives medical records, charts, insurance documents and other personal information for various dental offices across the United States.

The ransomware attack hit PerCSoft on the morning of Monday, Aug. 26, and encrypted dental records for some — but not all — of the practices that rely on DDS Safe.

PercSoft did not respond to requests for comment. But Brenna Sadler, director of  communications for the Wisconsin Dental Association, said the ransomware encrypted files for approximate 400 dental practices, and that somewhere between 80-100 of those clients have now had their files restored.

Sadler said she did not know whether PerCSoft and/or DDR had paid the ransom demand, what ransomware strain was involved, or how much the attackers had demanded.

But updates to PerCSoft’s Facebook page and statements published by both PerCSoft and DDR suggest someone may have paid up: The statements note that both companies worked with a third party software company and were able to obtain a decryptor to help clients regain access to files that were locked by the ransomware.

Update: Several sources are now reporting that PerCSoft did pay the ransom, although it is not clear how much was paid. One member of a private Facebook group dedicated to IT professionals serving the dental industry shared the following screenshot, which is purportedly from a conversation between PerCSoft and an affected dental office, indicating the cloud provider was planning to pay the ransom:

Another image shared by members of that Facebook group indicate the ransomware strain that attacked PerCSoft is an extremely advanced and fairly recent strain known variously as REvil and Sodinokibi.

Original story:

However, some affected dental offices have reported that the decryptor did not work to unlock at least some of the files encrypted by the ransomware. Meanwhile, several affected dentistry practices said they feared they might be unable to process payroll payments this week as a result of the attack.

Cloud data and backup services are a prime target of cybercriminals who deploy ransomware. In July, attackers hit QuickBooks cloud hosting firm iNSYNQ, holding data hostage for many of the company’s clients. In February, cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files. In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual.

It remains unclear whether PerCSoft or DDR — or perhaps their insurance provider — paid the ransom demand in this attack. But new reporting from independent news outlet ProPublica this week sheds light on another possible explanation why so many victims are simply coughing up the money: Their insurance providers will cover the cost — minus a deductible that is usually far less than the total ransom demanded by the attackers.

More to the point, ProPublica found, such attacks may be great for business if you’re in the insurance industry.

“More often than not, paying the ransom is a lot cheaper for insurers than the loss of revenue they have to cover otherwise,” said Minhee Cho, public relations director of ProPublica, in an email to KrebsOnSecurity. “But, by rewarding hackers, these companies have created a perverted cycle that encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.”

“In fact, it seems hackers are specifically extorting American companies that they know have cyber insurance,” Cho continued. “After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware.”

Read the full ProPublica piece here. And if you haven’t already done so, check out this outstanding related reporting by ProPublica from earlier this year on how security firms that help companies respond to ransomware attacks also may be enabling and emboldening attackers.

Tags: Brenna Sadler, DDS Safe, Digital Dental Record, PerCSoft, ProPublica, Wisconsin Dental Association

You can skip to the end and leave a comment. Pinging is currently not allowed.

Why organizations need intelligent EDR

To understand the need for Endpoint Detection and Response (EDR), let’s begin by discussing the cybersecurity environment.

To give a sense of scale, our own cybersecurity experts in SophosLabs process 500,000 never-seen-before malware samples each day. In 2018, the National Institute of Standards and Technology (NIST) reported that 16,451 software vulnerabilities were discovered. The challenge for defenders keeps growing, leading to a desire for better visibility and detection capabilities.

Organizations are having to deal with multiple threats trying to enter their environments on a daily basis. Naturally, many of these threats are stopped outright with strong cybersecurity defenses. But those which are evasive, uncommon, or unclear can slip through, which is where EDR comes into play. EDR was borne out of a need to supplement existing endpoint protection tools.

To make this easier to understand, let’s use a visual example:

1. Benign

These are non-malicious programs that are part of daily life in the vast majority of organizations, such as Microsoft Word, Outlook or Google Chrome. We don’t want to interfere with them, as this would cause disruption to the wider business.

2. Gray area or ‘the gap’

This area concerns items which aren’t obviously good or bad, so we don’t know whether they are fine to leave or should be blocked without performing further, manual investigation.

EDR was developed to investigate the gap. Are these items actually malicious, requiring action such as isolating affected devices or performing cleanup? Are they Potentially Unwanted Applications (PUAs)? Or something benign that can be ignored?

As threats evolve, many are becoming stealthier, using specific methods to fool antivirus solutions. EDR gives organizations the tools to hunt for suspicious Indicators of Compromise (IOC) and pick up on these hidden threats.

3. Malicious

Malicious files should be stopped outright by strong endpoint and server defenses. These are convicted as malicious and don’t require human interaction. Unfortunately, some traditional EDR tools fail here, letting through malware that should have been caught. This is because their strengths lie with post-event detection rather than pre-emptive protection.

What to look for in an EDR solution

EDR tools can vary wildly in terms of ease of use and granularity of analysis. The key questions to ask when evaluating an EDR solution are:

  • Does it require additional resources, or can you get value from it with your current team?
  • Does it help you prioritize your time by showing you the most suspicious items?
  • Can you see how a potential threat came in and what it interacted with?
  • Do you get intelligence on the suspicious item, such as from machine learning or cybersecurity specialists?
  • Is it easy to take action when you have made a decision? For example, blocking a threat or isolating a device?

Read the Top 5 Reasons You Need EDR whitepaper to get more detail on EDR and why it has become a necessity for most organizations. Then take a look at Sophos Intercept X with EDR that combines industry leading protection with powerful, straightforward to use EDR capabilities.

AI Emotion-Detection Arms Race

AI Emotion-Detection Arms Race

Voice systems are increasingly using AI techniques to determine emotion. A new paper describes an AI-based countermeasure to mask emotion in spoken words.

Their method for masking emotion involves collecting speech, analyzing it, and extracting emotional features from the raw signal. Next, an AI program trains on this signal and replaces the emotional indicators in speech, flattening them. Finally, a voice synthesizer re-generates the normalized speech using the AIs outputs, which gets sent to the cloud. The researchers say that this method reduced emotional identification by 96 percent in an experiment, although speech recognition accuracy decreased, with a word error rate of 35 percent.

Academic paper.

Posted on August 29, 2019 at 6:17 AM