Ransomware downed UVM Medical Center systems, but no payment made - VTDigger
University of Vermont Medical Center’s IT chief revealed Tuesday that it was a ransomware attack that downed the hospital’s online systems in October.
The attackers left a link in a single folder on a network computer to contact the hackers. It presumably led to a ransom request — but hospital officials never opened the link to check.
“We considered it for about five seconds,” said Doug Gentile, senior VP of network information technology. Ultimately, contacting the hackers or paying a ransom wouldn’t have saved time or effort, Gentile and hospital leaders concluded.
Get all of VTDigger's daily news.
You'll never miss a story with our daily headlines in your inbox.
RELATED STORIES
Ransomware downed UVM Medical Center systems, but no payment made
Cyberattack cost UVM Medical Center $1.5 million a day
A month after cyberattack, UVM Medical Center restores access to electronic records
UVM Medical Center gets access to some medical records after cyberattack
Cyberattack ‘struck the nervous system’ of UVMMC
Gentile’s reconstruction provided the first glimpse into the cause of the cyberattack, which crippled Vermont’s largest hospital for weeks. In the nearly two months following the hack, hospital officials have remained tight-lipped about the perpetrators and methods of the attack, citing an ongoing investigation by the Federal Bureau of Investigation.
While other hospitals attributed attacks around the same period to Russian-speaking attackers using Ryuk malware, the UVM Medical Center president and CEO, Steve Leffler, has kept quiet.
“I’m not aware of a ransom request,” he said last month.
Gentile refused to say who was responsible for the hacks or whether they were associated with foreign groups, citing the ongoing investigation. He also wouldn’t say how the attackers got into the system. The remaining applications will be restored by early January, he said.
When hospital IT staff realized their system had been breached on Oct. 28, they shut down the internet and Epic health records system to prevent further infiltration. The hackers encrypted the information on 1,300 servers, making the information on them impossible to access.
The attack downed the phone system, cut off access to staff emails and medical records, and slowed the hospital’s ability to provide radiation treatment and run scans.
VTDigger is underwritten by:
Thank You - Blue - ROS - 970 x 250
Within hours, hospital staff conducted a scan of the system and found a folder with a link to a website with instructions to contact the attackers. Ultimately, they never went to the site to get the message, and never had direct communication with the attackers, Gentile said.
If the hospital had paid a ransom, it wouldn’t have helped much; hackers could have unencrypted the data, but the medical center still would have had to clean and restore the computers to be sure the malware was no longer present.
“It wasn’t going to save us any time,” Gentile said.
Instead, the hospital brought on Cisco Talos, an IT security company that the medical center keeps on retainer. It also reached out to law enforcement agencies to help with analysis and recovery, including the FBI. Gov. Phil Scott deployed a unit of the Vermont National Guard to help out.
The team wiped the servers clean and rebuilt them, and wiped and reimaged 5,000 laptops and computers.
“For an organization of our size, that is just a huge undertaking,” Gentile said.
The shutdown postponed appointments, and led to scheduling mishaps. Some patients’ chemotherapy and radiation treatments were delayed. For others, it took weeks to find out whether cancer biopsies were malignant. Others went to Northwestern Medical Center in St. Albans or Dartmouth-Hitchcock Medical Center in Lebanon, N.H., for treatment.
In the weeks after the incident, UVM Medical Center furloughed and reassigned more than 300 employees. The attack and subsequent recovery likely cost the hospital about $1.5 million a day in lost revenue and expenses, Leffler said earlier this month.
By now, the hospital’s IT team has restored about 80% of the applications, including the patient portal and all the electronic medical records system, Gentile said.
There were bright spots, the IT chief noted. Hospital staff noticed the attack early, and it had minimal effect on the affiliate hospitals, including Central Vermont Medical Center in Berlin and Porter Community Hospital in Middlebury. It also didn’t breach any of the medical center’s applications, Gentile said. There’s no evidence that patient or employee data was stolen or leaked.
The hospital will continue to improve its security systems, Gentile said, though he predicted the attacks would only continue.
“It’s become clear that this really is an arms race,” he said. “We’re all going to continually have to update our tools, our approaches, just try and stay ahead of the bad guys in a situation.”
The attackers left a link in a single folder on a network computer to contact the hackers. It presumably led to a ransom request — but hospital officials never opened the link to check.
“We considered it for about five seconds,” said Doug Gentile, senior VP of network information technology. Ultimately, contacting the hackers or paying a ransom wouldn’t have saved time or effort, Gentile and hospital leaders concluded.
Get all of VTDigger's daily news.
You'll never miss a story with our daily headlines in your inbox.
RELATED STORIES
Ransomware downed UVM Medical Center systems, but no payment made
Cyberattack cost UVM Medical Center $1.5 million a day
A month after cyberattack, UVM Medical Center restores access to electronic records
UVM Medical Center gets access to some medical records after cyberattack
Cyberattack ‘struck the nervous system’ of UVMMC
Gentile’s reconstruction provided the first glimpse into the cause of the cyberattack, which crippled Vermont’s largest hospital for weeks. In the nearly two months following the hack, hospital officials have remained tight-lipped about the perpetrators and methods of the attack, citing an ongoing investigation by the Federal Bureau of Investigation.
While other hospitals attributed attacks around the same period to Russian-speaking attackers using Ryuk malware, the UVM Medical Center president and CEO, Steve Leffler, has kept quiet.
“I’m not aware of a ransom request,” he said last month.
Gentile refused to say who was responsible for the hacks or whether they were associated with foreign groups, citing the ongoing investigation. He also wouldn’t say how the attackers got into the system. The remaining applications will be restored by early January, he said.
When hospital IT staff realized their system had been breached on Oct. 28, they shut down the internet and Epic health records system to prevent further infiltration. The hackers encrypted the information on 1,300 servers, making the information on them impossible to access.
The attack downed the phone system, cut off access to staff emails and medical records, and slowed the hospital’s ability to provide radiation treatment and run scans.
VTDigger is underwritten by:
Thank You - Blue - ROS - 970 x 250
Within hours, hospital staff conducted a scan of the system and found a folder with a link to a website with instructions to contact the attackers. Ultimately, they never went to the site to get the message, and never had direct communication with the attackers, Gentile said.
If the hospital had paid a ransom, it wouldn’t have helped much; hackers could have unencrypted the data, but the medical center still would have had to clean and restore the computers to be sure the malware was no longer present.
“It wasn’t going to save us any time,” Gentile said.
Instead, the hospital brought on Cisco Talos, an IT security company that the medical center keeps on retainer. It also reached out to law enforcement agencies to help with analysis and recovery, including the FBI. Gov. Phil Scott deployed a unit of the Vermont National Guard to help out.
The team wiped the servers clean and rebuilt them, and wiped and reimaged 5,000 laptops and computers.
“For an organization of our size, that is just a huge undertaking,” Gentile said.
The shutdown postponed appointments, and led to scheduling mishaps. Some patients’ chemotherapy and radiation treatments were delayed. For others, it took weeks to find out whether cancer biopsies were malignant. Others went to Northwestern Medical Center in St. Albans or Dartmouth-Hitchcock Medical Center in Lebanon, N.H., for treatment.
In the weeks after the incident, UVM Medical Center furloughed and reassigned more than 300 employees. The attack and subsequent recovery likely cost the hospital about $1.5 million a day in lost revenue and expenses, Leffler said earlier this month.
By now, the hospital’s IT team has restored about 80% of the applications, including the patient portal and all the electronic medical records system, Gentile said.
There were bright spots, the IT chief noted. Hospital staff noticed the attack early, and it had minimal effect on the affiliate hospitals, including Central Vermont Medical Center in Berlin and Porter Community Hospital in Middlebury. It also didn’t breach any of the medical center’s applications, Gentile said. There’s no evidence that patient or employee data was stolen or leaked.
The hospital will continue to improve its security systems, Gentile said, though he predicted the attacks would only continue.
“It’s become clear that this really is an arms race,” he said. “We’re all going to continually have to update our tools, our approaches, just try and stay ahead of the bad guys in a situation.”
