Blog
← Back to Blog
November 28, 2016 dental

Grateful for Good Backups: A Real Ransomware Survival Story

Data recovery and backup concept

The week before Thanksgiving, we got the call. A dental practice, four operatories, ten workstations, one server. Their office manager arrived Monday morning to find every file on the server encrypted. A ransom note on every desktop demanding $8,000 in Bitcoin.

She called us at 7:15 AM. By 11:30 AM, the practice was back online. Here's how.

What Happened

The attack came through an email that appeared to be from a dental insurance company. It contained a "pre-authorization form" as a Word attachment. A staff member opened it on Friday afternoon. The document asked to enable macros to "view the protected content." She clicked Enable.

The ransomware activated but didn't immediately encrypt everything. It waited until after hours, when nobody was watching, to begin the encryption process. By Monday morning, the server's patient database, imaging files, and financial records were all locked with a .cerber extension.

What They Did Right

They Had the 3-2-1 Backup

This practice had been following our advice (I'd like to think this blog played a small role). They had three copies of their data: the server (now encrypted), a local NAS backup (also encrypted, because it was on the same network), and a cloud backup to a HIPAA-compliant service.

The cloud backup was the one that saved them. Because it wasn't directly accessible from the network, the ransomware couldn't touch it.

They Called Immediately

No delay. No "let me try to fix it myself." No paying the ransom. The office manager recognized the ransom note, remembered our advice, and called us. Every minute matters in ransomware response.

They Didn't Pay

The FBI recommends not paying ransoms. We agree. Paying funds criminal operations, doesn't guarantee you'll get your data back, and marks you as a willing payer for future attacks. Because they had a clean backup, paying wasn't necessary.

The Recovery Process

  1. 7:15 AM: Call received. We told them to disconnect the server from the network immediately.
  2. 7:30 AM: We arrived on-site. Confirmed ransomware variant (Cerber). Isolated all affected systems.
  3. 8:00 AM: Assessed the damage. Server and NAS encrypted. Workstations had the ransom note but most local files were intact.
  4. 8:30 AM: Began cloud backup restore of the Dentrix database and patient imaging files.
  5. 10:00 AM: Database restored. Verified data integrity.
  6. 11:00 AM: Workstations cleaned and reconnected. PMS operational.
  7. 11:30 AM: Practice fully operational. First patient seen at noon.

Total downtime: about half a day. Total data loss: approximately 3 hours of work from Friday afternoon (between the last backup and the encryption). No patient data was exfiltrated. No ransom paid. No HIPAA breach notification required.

What They Changed Afterward

  • Moved the NAS to a separate network segment so ransomware can't reach it
  • Implemented application whitelisting to prevent unauthorized macros
  • Added email security that sandboxes attachments before delivery
  • Conducted team training specifically on macro-enabled document attacks

The Lesson

Good backups turned what could have been a practice-ending catastrophe into a half-day inconvenience. The investment in cloud backup that this practice made months earlier, a few hundred dollars a month, saved them from an $8,000 ransom payment, days of downtime, and potential HIPAA violations.

This Thanksgiving, be grateful for your backups. If you don't have good ones, make that your priority this week.