Complete Technology Solutions (CTS) is a managed service provider located in Colorado. It provides services to over 100 dental practices. On November 25, 2019, CTW suffered a MSP ransomware attack. The cyberattackers issued a ransomware demand of $700,000 to provide decryption keys. CTS decided not to pay the ransom.
The details of this latest MSP ransomware attack are discussed below.
How did this MSP Ransomware Attack Occur?
This MSP ransomware attack occurred in the course of CTS’ servicing its remote customers. To provide IT services for its dental practice customers, CTS logs on to their computer systems using a remote access tool. According to a KrebsonSecurity report, the tool appears to have been exploited by cyberattackers. The cyberattackers used the tool to access all CTS client systems, allowing for the deployment of Sodinokibi ransomware.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
A number of the affected practices were able to recover data from backup data that was securely stored offsite. However, many of the affected dental practices remain without access to systems or data. These practices have been forced to turn patients away because of ongoing system outages stemming from the attack.
While CTS has refused to pay the ransom, some of the dental practices are attempting to negotiate with the attackers to obtain the keys needed to unlock their own data. However, even those practices that paid a ransom have recovered only a portion of their encrypted data. As a result, these covered entities have had to pay additional money for additional keys to unlock the encrypted files. One particular dental practice, which had 50 encrypted devices, received over 20 ransom notes. As a result, the practice had to make multiple payments to recover patient records.
This attack is part of a trend. Ransomware attacks on MSPS are on the rise generally. One reason is how lucrative such attacks can be: one single attack on an MSP allows the cyberattackers to attack dozens, potentially hundreds of companies – each of which it can “hold ransom” and exact ransomware payments from.
The attack on CTS makes clear the need to not only backup critical data, but illustrates the need to keep one copy of that backup stored securely offsite. Secure storage consists of storing the data on a device that is networked, and that cannot be accessed over the Internet.