The Anatomy of a Ransomware Attack: A Case Study on a Multi-Location Dental Service Organization

In the digital age, cybersecurity threats loom large over the healthcare industry, but DSO organizations, with their vast amounts of sensitive patient data, are particularly vulnerable. Ransomware attacks, where cybercriminals encrypt files and demand payment for their release, have surged in recent years, costing victims billions globally. In this article we’re going to dissect the anatomy of a recent ransomware attack launched against a 60-location DSO.

We’ll explore how hackers exploited technical vulnerabilities, installed a screen-sharing application to facilitate data theft from the cloud, and wreaked havoc across the network. We’ll explore the stages of infiltration, execution, and the aftermath, underscoring the need for robust, effective defenses. Most of this hacking groups methodologies were uncovered during the post-breach forensic investigation, but some are assumed to be “What Likely Happened” based on breach investigation cases from previous ransomware cases that successfully targeted healthcare providers.

The Target: “Straight White Teeth” (fictional name), a DSO operating 60 clinics across multiple states.

Like many in healthcare, it relies on a hybrid of internal and external IT teams: on-premises servers for local operations, cloud-based systems for electronic health records (EHR), billing, and patient management via platforms like Microsoft Azure or AWS. The organization handles vast amounts of protected health information (PHI), including X-rays, treatment plans, and financial information with a workforce of over 1,000 employees, including dentists, hygienists, and administrative staff, the network is a patchwork of desktops, laptops, tablets, and IoT-enabled dental equipment, all connected via VPNs and remote access tools. The attack begins not with a loud announcement or total network shutdown but a whisper. Cybercriminals, often part of well-organized and well-funded groups, scout for weak points. The goal? Not just disruption, but profit through data theft and ransom.

Phase 1: Initial Access – Exploiting Technical Vulnerabilities.

Ransomware attacks sometime start with hackers targeting zero-day exploits or by socially engineering humans. Neither of those common attack methodologies was used in this case. Unfortunately for “Straight White Teeth” their hackers targeted an all-too common, known vulnerability that was left unpatched. The entry point in this case was an unpatched remote desktop protocol (RDP) server exposed to the internet. Many DSOs use RDP for remote maintenance of clinic systems, but without multi-factor authentication (MFA) or proper firewall rules, it’s a hacker’s dream. The attackers began with reconnaissance. Using a legitimate tool called Shodan, (a search engine for internet-connected devices), they discovered “Straight White Teeth”’s RDP ports open on several clinic IPs. A vulnerability scan performed by the hackers, revealed that the servers run Windows Server 2016, vulnerable to a known exploitable vulnerability, a remote code execution flaw in RDP (patched years ago but neglected here due to legacy systems in smaller locations).

With this intel, the hackers launched a brute-force attack on RDP credentials. It can only be assumed that a password cracking tool was then deployed by the criminals. Passwords stolen in prior breaches are often sold on hacking forums on the Dark Web but this group had no prior history of a breach. Success comes quickly: a low privilege admin account for one clinic’s server is compromised. This initial foothold is stealthy; no alarms trigger because the organization lacks advanced managed detection and response (MDR) tools.

Once inside, the attackers elevate privileges. Now, they can move laterally across the network, hopping from the compromised server to others via shared credentials or weak segmentation. In a 60-location dental group, poor network isolation—common in rapidly expanding DSOs—accelerates this. Firewalls between sites are misconfigured, allowing unrestricted traffic. This phase lasts days or weeks, with hackers mapping the environment using built in Windows tools to avoid detection. They identify the “Pot of Gold”: the cloud-connected EHR system, where patient data resides.

Phase 2: Persistence and Lateral Movement

In this case, they deploy a seemingly benign screen-sharing application, masquerading as a legitimate tool like AnyDesk or TeamViewer. Why screen-sharing? It allows remote control, perfect for evading detection while exfiltrating data. The hackers then deploy a legitimate vulnerability scanning tool to help navigate through the network to access every device and steal and encrypt as much data as possible. Criminal hacking groups use the same tools (for nefarious purposes) that preventative cybersecurity companies use for protection—especially vulnerability scanning applications.

Phase 3: Data Exfiltration

The hacker’s focus shifts to theft. Ransomware isn’t just about encryption anymore; double-extortion tactics involve stealing data first, then the publishing of all stolen data if ransom isn’t paid. Using the screen-sharing app, attackers navigate to the cloud dashboard. They exploit a misconfigured Azure storage account and download terabytes of PHI: patient records, insurance details, and financial data. To speed exfiltration, they compress files and upload them to their own server via encrypted channels, masking traffic as legitimate cloud syncs. In this attack, over 500,000 patient records are stolen. The cloud’s scalability, meant for efficiency, becomes a liability; without data loss prevention (DLP) tools, the breach goes unnoticed.

Phase 4: Execution – Encryption and Ransom Demand

The climax: deployment of the ransomware payload. Attackers use the screen-sharing app to distribute the encryptor across all 60 locations. It’s a custom variant, targeting backups first to eliminate recovery options. Encryption hits simultaneously at midnight, locking EHRs, billing systems, and local files. Clinics wake to ransom notes demanding $5 million in Bitcoin, with proof of stolen data attached. The note warns of leaks to regulators and patients if unpaid. Chaos ensues. Appointments cancel, emergency care halts, and revenue plummets. HIPAA notifications loom, risking fines up to $50,000 per violation.

The Aftermath: Impact and Recovery

The financial toll is staggering. Lost revenue from downtime (zero production from any locations for at least 10–14 days), ransom payment (if made), and recovery costs. Reputationally, patient trust erodes; lawsuits follow over data breaches. Recovery involves forensics teams isolating infected systems, restoring off-site backups (if uncompromised), and rebuilding. “Straight White Teeth” engages the services of a dedicated cybersecurity firm for future protection—lesson learned too late. This anatomy reveals ransomware’s multi-stage nature: from vulnerability exploitation to tool misuse for theft.

In 2025, with AI enhanced attacks on the rise, DSOs must prioritize vulnerability scanning and implement fast, autonomous vulnerability patching, along with adding 24/7 monitoring by trained humans using AI based defensive tools. Ultimately, while technology evolves, human vigilance remains key. By understanding these attacks, organizations like “Straight White Teeth” can fortify defenses, turning potential disasters into mere cautionary tales.

🚨 Recent notable healthcare cyber incidents:

Absolute Dental, which operates multiple locations across Nevada including Las Vegas and Reno, has reported a data breach that may have exposed sensitive personal information. The company discovered the issue on February 26, 2025, after an unauthorized party accessed its systems between February 19 and March 5 through a malicious version of a legitimate software tool linked to a third-party provider.

Following an investigation completed on July 28, Absolute Dental determined that affected data may include names, contact details, birthdates, Social Security numbers, driver’s license or ID information, and health-related details such as medical history, treatments, diagnoses, insurance information, and patient IDs. In some cases, financial account or payment card data may also have been impacted. The breach was reported to the U.S. Department of Health and Human Services on May 2, 2025, and the company is now notifying potentially affected individuals.

On July 21, 2025, Washington-based Dr. Michael Bilikas and Associates, doing business as 32 Pearls, reported a data breach to the U.S. Department of Health and Human Services. 32 Pearls, a Seattle and Tacoma dental practice offering family, cosmetic and implant dentistry, discovered on May 22, 2025 that malicious software had encrypted files on its systems. An investigation, conducted with the help of cybersecurity experts, revealed unauthorized access occurred between May 19 and May 22, 2025. The data breach potentially exposed files containing individuals’ full names, addresses, driver’s license numbers, Social Security numbers, and medical information. The 32 Pearls data breach reportedly impacted 23,517 individuals.

Dental Cyber Watch is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry and a proud partner of Group Dentistry Now. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy. To evaluate your group’s current security posture visit www.blacktalonsecurity.com.

Have a cybersecurity question or concern that you would
like addressed in future Dental Cyber Watch articles,
please email it to info@groupdentistrynow.com