A dental practice in Wisconsin arrived Monday morning to find every workstation displaying the same message: "Your files have been encrypted. Pay 4.2 Bitcoin ($185,000) within 72 hours or your patient data will be published online." Their server was locked. Their backups — stored on a USB drive plugged into the server — were encrypted too. Their practice management system (Dentrix), their imaging archive (DEXIS), their financial records — all gone.

This isn't a hypothetical scenario. The American Dental Association reported that dental practices accounted for a growing share of healthcare ransomware incidents through 2024 and 2025. The FBI's Internet Crime Complaint Center logged healthcare as the most-targeted critical infrastructure sector for ransomware, and dental offices — with their valuable ePHI and often minimal security — sit squarely in the crosshairs.

Why Attackers Target Dental Practices Specifically

Ransomware gangs don't target dental practices by accident. The economics are compelling from the attacker's perspective:

  • High-value data — Dental records contain Social Security numbers, insurance information, medical histories, and payment card data. A single patient record sells for $250 to $1,000 on dark web markets — far more than a credit card number ($5 to $25).
  • Low security maturity — Most dental practices have a firewall, antivirus on some machines, and not much else. Few have network segmentation, endpoint detection, or monitored backup systems. The security gap between a dental office and a hospital is enormous.
  • High pressure to pay — A dental practice that can't access its schedule, patient records, or imaging archive is losing $500 to $1,800 per hour in production. Every hour the ransomware holds, the financial pressure to pay increases. Attackers know this.
  • Limited IT expertise — Many practices rely on a local "computer guy" or a small MSP that also supports accounting firms, law offices, and retail shops. These providers rarely have ransomware response experience or incident response plans.

How Ransomware Actually Gets Into a Dental Practice

Forget the movie image of a hooded hacker typing furiously at a terminal. Real dental practice ransomware attacks follow mundane, repeatable patterns:

Phishing emails are the number one entry point. The email looks like it's from a dental supplier, an insurance company, or even a patient. It contains a link or attachment. One click from any staff member with network access is enough. We've seen phishing emails disguised as patient intake forms, insurance EOB notices, and even Open Dental update notifications.

Exposed Remote Desktop Protocol (RDP) is the second most common entry point. Many MSPs set up RDP on the server so they can remote in for support. If that RDP port (3389) is exposed to the internet without a VPN — and it is in a shocking number of dental practices — attackers can brute-force the password. Automated scanning tools find exposed RDP ports within hours of them being opened.

Compromised vendor credentials are the third vector. If your IT provider uses the same admin password across multiple clients (more common than you'd think), one compromised client gives attackers access to every practice that provider manages.

$1.27 million — average cost of a healthcare ransomware incident in 2025, including downtime, recovery, legal fees, and regulatory penalties. For a single-location dental practice, the typical cost ranges from $50,000 to $350,000.

Your Backup Is Only as Good as Your Last Restore Test

Every dental practice IT provider says "we back up your data." Very few of them test whether that backup can actually be restored. Here's what we see in the field:

  • USB drive backups plugged into the server — Ransomware encrypts every drive the server can access. If your backup drive is connected, it gets encrypted too. This is not a backup strategy; it's a false sense of security.
  • Cloud backups that haven't been verified — The backup software reports "success" every night, but nobody has tried restoring the Dentrix database from it. When the ransomware hits, you discover the backup has been silently failing for three months because the database was locked by SQL Server during the backup window.
  • Backups without versioning — Some backup systems overwrite the previous backup each time. If the ransomware encrypts your files on Monday but you don't notice until Wednesday, your backup contains encrypted files. You need versioned backups that retain 30+ days of history.

Test your backup quarterly. Actually restore the Dentrix or Open Dental database to a test machine and confirm it opens. If you can't do this — or if your IT provider can't show you a successful test restore — your backup is theoretical, not real.

The 5 Defense Layers That Actually Stop Ransomware

No single product stops ransomware. Effective protection requires layered defense where each layer catches what the previous one missed:

  1. Email filtering with URL sandboxing — Block phishing emails before they reach your staff. Products like Proofpoint, Mimecast, or Microsoft Defender for Office 365 scan links and attachments in a sandbox before delivering the email. This stops 90%+ of phishing attempts.
  2. Endpoint Detection and Response (EDR) — Traditional antivirus catches known malware by signature. EDR watches for behavioral patterns: a process encrypting hundreds of files per second, a PowerShell script downloading executables from an external server, a user account accessing files it has never accessed before. When it detects ransomware behavior, it kills the process and isolates the endpoint.
  3. Network segmentation — Separate your practice network into zones. Guest WiFi on one VLAN. Workstations on another. The server on another. Imaging devices on another. If ransomware compromises a workstation, segmentation prevents it from spreading to the server.
  4. Immutable, offsite backups — Store backups in a location that ransomware cannot reach or modify. Cloud backup with immutability (where stored backups cannot be deleted or altered for a set retention period) is the gold standard. Even if the attacker compromises your entire network, they can't touch immutable cloud backups.
  5. Behavioral monitoring — Watch for the early signs of an attack: unusual login attempts, large file transfers, new scheduled tasks, disabled security services. CyberCore's agent monitors for these behavioral signals on every workstation in real time. When it detects patterns consistent with ransomware staging, it alerts immediately — before the encryption starts.

If You're Already Infected: The First 30 Minutes

If you see a ransom note on a workstation, here's what to do in the first 30 minutes:

  1. Disconnect the affected workstation from the network immediately — Pull the ethernet cable. Turn off WiFi. Don't shut it down (forensic evidence is in memory), just disconnect it.
  2. Check whether the server is affected — Can you access the server from another workstation? Can you open Dentrix or Open Dental? If yes, the attack may be contained to one machine.
  3. Contact your IT provider and tell them it's ransomware — Don't say "the computer is acting funny." Say "we have a ransom note on a workstation." This triggers a different response protocol.
  4. Do not pay the ransom — The FBI recommends against paying. Payment funds future attacks and doesn't guarantee data recovery. 80% of organizations that paid a ransom were attacked again.
  5. Document everything — Take photos of the ransom note. Note which workstations are affected. Record the time you discovered it. This documentation matters for your HIPAA breach notification, insurance claim, and law enforcement report.

Ransomware attacks on dental practices are not going away. The data is too valuable, the defenses are too weak, and the pressure to pay is too high. But the practices that prepare — with layered security, tested backups, and real-time behavioral monitoring — recover in hours instead of weeks. And they never have to wonder whether paying the ransom is their only option.