More than 100 dentist offices have reportedly been affected by a recent Sodinokibi ransomware attack on a Colorado-based company that provides IT services to the oral-care practices.

Security expert Brian Krebs reported this past weekend via his blog post that Englewood, Colo.-based Complete Technology Solutions (CTS), was attacked back on Nov. 25, apparently via a compromised remote administration tool.

Many of CTS’ clients are reportedly still affected and scrambling to salvage their data and business operations. Representatives from affected practices as well as firms hired to help them told Krebs that CTS declined to pay a $700,000 ransomware demand.

Some individual dental offices have reportedly opted to pay the attackers smaller amounts in order to decrypt just their own data. However, in at least certain cases, the practices actually received multiple ransom notes and needed to purchase multiple decryption keys in order to recover all of their files, instead of only a portion.

Gary Salman, CEO of New York-Based Black Talon Security – a firm that assisted several of CTS’ clients – told Krebs that one network with 50 devices “had to turn in more than 20 ransom notes to fully recover.” Salman said the attackers may have chosen this strategy as an insurance policy in case affected practices decided to team up and share the same decryption key. “In the end, [the attackers] are going to walk away with a lot more money than they would have gotten had [CTS] just paid the $700,000,” Salman reportedly said.

According to KrebsonSecurity, the compromised remote administration tool was not set up to require any secure authentication on the part of CTS’ dental clients before it connected to their systems.

CTS President Herb Miner reportedly declined comment to Krebs. SC Media has also reached out to CTS, which provides services such as network security, data backup and Voice over IP phone.

Emerging in April 2019, Sodinokibi ransomware, also known as rEvil and Sodin, operates via a ransomware-as-a-service model and is believed to be created by the same developers as GandCrab ransomware. Like GandCrab, Sodinokibi has been made available on dark web forums to cybercriminal “affiliates.” Profits are split between the affiliates and the developers.

Last August, it was reported that Wisconsin-based IT company PerCSoft was infected by Sodinokibi in a case that impacted roughly 400 dental practices.