Cybersecurity, Backup Services and Ransomware
PerCSoft is a Wisconsin business. The organization provides online data backup services for dental offices. This operates by placing data in the cloud. They had hundreds of dental offices as clients. The focus was to secure the patient medical records and other data from the various attacks, including ransomware.
Irony
The irony of this pwnage has not fallen on deaf ears. In this industry, it’s not often the irony though has this much depth. The firm’s function was to secure backups for their clients. In certain instances where there would be an issue with the client’s data, such as with a natural disaster or a successful ransomware attack. In their marketing materials, the safety from ransomware is emblazoned. The organization, whose function was to secure data from ransomware had their files encrypted with ransomware, making them not accessible.
Ransomware
PerCSoft, the online data backup service, was successfully attacked with ransomware. This attack encrypted files for approximately 400 US dental offices. It appears the tool used was Sodinokibi, a ransomware variant aka Sodin or REvil malware. This was addressed as a critical vulnerability with Oracle WebLogic Servers, and with CVE-2019-2725 with a severity score of 9.8/10. This operates as a deserialization remote code execution vulnerability. This was designed to encrypt files and delete the shadow copy backups. This prevents the victim from recovering the data from other sources and puts the victim in a very difficult situation.
Attack
The ransomware was detected on August 26. This was, relatively, a very successful attack, and apparently profitable for the attackers, as they were paid. There were over 400 dental practices affected. To appreciate the full extent of just this aspect, imagine the number of patients seen every day, multiplied by two weeks, and then multiply this by 400, to be conservative. This attack did not merely affect a few offices, but also all the people that work there and the patients. The practices were not able to access patient history, charts, schedules, x-rays, or patient balances. I can only imagine how difficult this was to work through for the affected staff members and patients.
Remediation
PerCSoft ended up paying the attackers. While not published, this course may have been required as their primary files and all of their backups being encrypted or deleted, and they simply had no choice. It was not reported who was paid or how much. As of 8/29/2019, 80-100 of the 400 dental office files had not been decrypted. In these instances, the decrypt key did not work, which is an issue. The restoration of the other offices was a bit slow. On a positive note, the organization did communicate on a regular basis with their clients and interested parties through, among other means, Facebook from their postings.
Defenses
Perhaps PerCSoft should have followed a few of the basic industry standards and processes to reduce the potential for an epic fail. The practices include:
· Backing up your data. This can be done on- or off-site. Dedup is an option, dependent on the circumstances and budget.
· System inventory. Over time, we tend to become complacent with the network. Periodically we should take an inventory of the assets on the network. This reduces the opportunity for missed patches and also detects any unknown or shadow assets using your equipment and network.
· Conduct cybersecurity training throughout the year and make it relevant. The once a year cybersecurity mandatory training to check the box simply still does not work. This needs to be done through the year with relevant, current training. Granted, your task is not to entertain the staff during these, however, you still need to attract and retain their attention. This will assist with them internalizing the message and applying it, as some level, to their work, when the need presents itself. The alternative is to play the same VHS tape from the 1990s and having your staff in an infinite loop of mass password resets, patching vulnerabilities, scanning for issues, and headaches.
· Patch cycle. While this may not directly impact the ransomware attack, it is still prudent and an industry-standard to address this with regularity, in addition to the critical and time-sensitive patches requiring immediate attention.
Lessons Learned?
PerCSoft paid the ransom, as noted previously. This may have been their only option given the germane circumstances. The organization may not have backups of their client’s data. The organization having to pay the ransomware fee to operate is bad enough. This however should ask you, in a researcher role, to wonder why they had to pay the attackers only to operate. There generally are so many issues with this avenue, it is hardly recommended.
Resources
Kobialka, D. (2019, August 29). Ransomware attack hits backup provider, US dental offices. Retrieved from https://www.msspalert.com/cybersecurity-breaches-and-attacks/ransomware/dental-offices-hit/
Krebs, B. (2019, August 29). Ransomware bites dental data backup firm. Retrieved from https://krebsonsecurity.com/2019/08/ransomware-bites-dental-data-backup-firm/
Kumar, M. (2019, May 1). Hackers found exploiting oracle WebLogic RCE flaw to spread ransomware. Retrieved from https://thehackernews.com/2019/05/ransomware-oracle-weblogic.html
Percsoft Dental Technology Consulting. (2019). Facebook posts. Retrieved from https://www.facebook.om/pg/percsoft/posts
Wei, W. (2019, August 30). Ransomware hits dental data backup service offering ransomware protection. Retrieved from https://thehackernews.com/2019/08/dds-safe-dental-ransomware-attack.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.