Cyber Incident Victim: PerCSoft
Date:
Aug 2019
Location:
United States of America
Summary
A ransomware attack impacted hundreds of dental practices across the US after threat actors compromised the infrastructure of software providers PerCSoft and The Digital Dental Record, who jointly offered a medical records backup solution. The attackers deployed REvil (Sodinokibi) ransomware via the providers' systems, encrypting patient data and disrupting operations when offices returned to work. The companies paid the ransom and distributed a decrypter, though recovery proved slow and incomplete for some victims. This marked the third instance of REvil actors targeting managed service providers to propagate ransomware, with the strain ranking among the most active that year. Ironically, the compromised software had been marketed as a safeguard against such attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ransomware incident impacting hundreds of U.S. dental practices unfolded over the weekend preceding August 26, 2019, when threat actors compromised the infrastructure of Wisconsin-based software providers The Digital Dental Record and PerCSoft. These companies jointly developed DDS Safe, a backup and medical records retention solution marketed to dental offices. Attackers exploited this access to deploy REvil (Sodinokibi) ransomware through the software platform, encrypting files on customer systems. Dental offices discovered the compromise on Monday, August 26, when returning staff found critical patient records inaccessible. The attack disrupted operations across numerous practices, preventing routine access to medical histories, appointment schedules, and treatment documentation essential for clinical operations.
The software providers opted to pay the ransom demand and subsequently distributed a decryption tool to affected customers beginning August 26. Recovery efforts progressed slowly due to technical complexities inherent in ransomware decryption processes, with some dental offices reporting via social media that the tool failed to restore all encrypted data or malfunctioned entirely. This incident marked the third confirmed case that year of REvil ransomware being deployed through compromised managed service provider infrastructure, following June 2019 attacks via Webroot SecureAnywhere consoles and a separate breach impacting 22 Texas counties immediately preceding the DDS Safe incident. Security firm Fidelis Cybersecurity ranked REvil as the fourth most prevalent ransomware strain during this period, accounting for 12.5% of observed incidents. The breach occurred despite DDS Safe’s advertised purpose of protecting dental practices from ransomware threats.