UVM Medical Center Confirms Cyberattack Involved Ransomware | Off Message

UVM Medical Center Confirms Cyberattack Involved Ransomware

by

SEAN METCALF
  • Sean Metcalf
The fall cyberattack that crippled University of Vermont Medical Center servers and disrupted vital patient care for weeks involved a form of ransomware, the hospital disclosed for the first time Tuesday.

Officials had previously refused to say whether ransomware was used, citing guidance from the Federal Bureau of Investigation. But the FBI recently gave the hospital permission to describe some aspects of the attack, said Dr. Doug Gentile, the medical center's chief medical information officer.

"What I can tell you is this was in the class of ransomware attacks," Gentile told reporters on a Zoom call. "We did not get a phone call. We did not get a letter. But we did have a file deposited [on our system] that gave instructions on how to contact the attackers."



That file provided a web address and instructed the hospital to contact the perpetrators if it wished to free its system, according to Gentile, who said he could not be sure of the motivation behind the attacks because the hospital ultimately never made contact — nor did it receive any ransom request.

"But we assume they were asking for money," Gentile said.

Cyberattacks on American health care systems have become increasingly common. The latest wave, which impacted about a dozen hospitals, is believed to have been conducted by a group of Russian-speaking hackers who deploy a ransomware known as “Ryuk.” The FBI estimates they have taken in $61 million in ransom over a two-year period ending in 2019, the New York Times reported.
Gentile said there was still much the FBI did not want the hospital to say amid the ongoing investigation, including whether the attack involved Ryuk, or how it may have infiltrated the hospital’s defense systems.

He said the health network is targeted by cyberattacks on a near daily basis. “This is one that obviously slipped through,” he said.

"This really is an arms race," he said of cybersecurity. "We’re all going to continually have to update our tools and approaches to just try to stay ahead of the bad guys in this situation. That’s just unfortunately the world we're in."

Gentile said the attackers encrypted files and data behind “virtually all" of the UVM Medical Center's servers — about 1,300 in total — and deposited malware onto more than 5,000 computers and laptops.

"They do this for one single reason: it gives them persistence,” he said. “It gives them the ability, if we don't respond, to come back in and do further damage.”

The attack — and subsequent response — had devastating effects on the hospital.

As information technology teams, including one from the National Guard, spent weeks wiping devices, employees at the hospital adopted a paper-based system. Hundreds who could not perform their normal job duties were furloughed or reassigned. Many patients reported frustrating delays in receiving information, and weeks passed before some cancer patients were able to resume their treatments.

The hospital has spent the past three weeks restoring its digital infrastructure, and Gentile estimated that the hospital is now functioning at about 98 percent normal. "There are some specialty specific systems that still need to be restored," he said. "The major clinical and operating systems are up."

Officials estimated earlier this month that the total cost of the attack, accounting for increased expenses and losses in revenue, was well beyond $60 million and climbing.
Gentile said officials never considered contacting the attackers because even if the hospital received the encryption key, it would still have needed to rebuild the downed systems to ensure the malware was eliminated.

Though it took the hospital only about two hours to find the file Gentile described, UVM Medical Center officials repeatedly said they did not know whether the attack involved a form of ransomware — a point they emphasized by noting that they had not received any requests for money.



"I think the nuance there is, we did not actually have a ransom note or request," Gentile said Tuesday. "We had an indicator of how to contact the attackers. Now, we assumed the reason to contact them was to hold us at ransom. But we honestly don’t know that 100 percent.”