The American Dental Association (ADA) was hit by a weekend cyberattack, causing them to shut down portions of their network while investigating the attack. The ADA is a dentist and oral hygiene advocacy association providing training, workshops, and courses to its 175,000 members. The ADA says that preliminary investigations do not indicate that member information or other data has been compromised. However, the description of this attack sounds like a ransomware attack, and almost every initial press statement says the same thing, with stolen data later published by threat actors. Soon after publishing this story, security researcher MalwareHunterTeam told BleepingComputer that the threat actors had begun leaking data allegedly stolen during the attack on ADA. The data leak site claims to have leaked approximately 2.8 GB of data, which the threat actors state is 30% of the data stolen in the attack. This data includes W2 forms, NDAs, accounting spreadsheets, and information on ADA members from screenshots shared on the data leak page. The leaking of dentists’ information can be particularly damaging, as small dental practices typically do not have dedicated security or network admins.
Ransomware threat actors will typically exfiltrate data from victim companies to leverage as further means to extort them even if they are able to restore from backups. Thus, it is important not only to have multiple backups, including offline backups, and a practiced incident response plan, but to prevent ransomware incidents from happening in the first place. The initial compromise is most often using malicious office documents or script files attached to phishing emails, so train your employees to spot and report suspicious emails and only enable Office document macros when they are absolutely certain that there is a business need. Furthermore, use MFA for all forms of remote access such as VPNs and RDP, as bruteforcing these is another means of gaining initial access. Have good endpoint monitoring with an EDR solution and either an internal 24/7 Security Operations Center (SOC) or a service like Binary Defense to triage the alerts.