“We really did not anticipate the scope or the impact the attack had on our system and how far-reaching it was,” the organization’s president, Dr. Stephen Leffler, told reporters at a December news conference. Staff at the facility had been trained to handle outages of 3 to 5 days at most. What hit UVM Medical Center was far worse: “Thirty days of downtime, going across all systems, was a true challenge for our staff — it was a challenge for our patients.”
UVM Medical Center is one of many health care facilities — in the middle of a global pandemic, no less — to fall victim to ransomware, an increasingly common form of malicious software that criminals use to seize control of computers and often refuse to unlock until the victim pays a fee.
The company’s list shows that as many as 560 health care facilities, 1,681 schools and 113 government agencies at every conceivable level were held hostage by ransomware in the United States last year. The software encrypted computers and other devices so that they couldn’t be used, and in many cases, the hackers would not only lock up the data, but would also steal it.
Asked for an update on the situation, UVM Medical Center spokesperson Annie Mackin told CNN Business Monday that the organization’s network has “largely recovered,” though there is “some work remaining to complete.” No personally identifiable information or patient health data was lost in the attack, she added.
In the case of victims who refuse to pay up, ransomware attackers have been known to release internal files they’ve stolen. These dumps, some of which were reviewed by both Emsisoft and CNN, have contained everything from arrest records to the financial details of city governments.
Why publish these data troves? Often, they serve as leverage for cyber criminals to extract more money from helpless targets, said Brett Callow, an Emsisoft threat analyst.
“Like any legitimate business, attacking health and education sectors has proved to be profitable,” he said. “They may also be softer targets. In the case of health care, they have unusually large attack surfaces spanning various networks and medical devices.”
In a blog post, Emsisoft said the breaches don’t just represent a momentary inconvenience. The loss of data could come back to haunt many institutions, governments and perhaps consumers for years.
“It is also entirely possible — probable, even — that data was sold to companies’ competitors or passed to other governments,” the company said. “Today’s incidents represent a risk to national security, election security, economic security and to individuals’ privacy, health and safety. It is, therefore, critical that solutions are found.”
The following month, the Treasury Department took its boldest step yet against ransomware, warning that those who pay hacker ransoms and even those who help victims pay up — such as lawyers, insurance companies or consultants — could be held liable if the payments end up going to a country that is under US sanctions.
But despite US officials’ efforts over the course of the year to raise the alarm, incidents of ransomware continued to pile up, culminating in two attacks that grabbed national headlines: A breach affecting United Health Services, one of the nation’s biggest hospital networks, and one against Tyler Technologies, a software vendor serving many state and local governments.
“2020, without a doubt, was the worst year for every chief information officer, and it is absolutely driven by ransomware,” said Kevin Mandia, the CEO of Mandiant, a top cybersecurity firm, at a recent event held by the Aspen Institute.
As the year wound to a close, officials at UVM Medical Center expressed disbelief at the amount of damage a single attack could cause. It’s an experience that an alarming number of institutions can now say they share.
“If you’d told me [that] more than a month later, we’d still have functions that weren’t normal, I would have bet you that you’d be wrong,” Leffler said at the press conference.
Luckily, UVM Medical Center was never confronted with a monetary demand, so it never paid a ransom.
“Our IT staff did find a note, which did not request money, but included instructions to contact the criminals responsible for the attack,” said Mackin. “UVM Health Network leaders did not follow those instructions and instead contacted the FBI.”