Timing of UVM Medical Center patient portal shutdown linked to costly “Ryuk” ransomware attacks
by Guy Page
October 29, 2020 – The U.S. government yesteday issued an alert about ransomware attacks on hospitals, the same day the UVM Medical Center lost access to patient care portal due to possible malicious cyber-activity.
“Malicious cyber actors are targeting the HPH (Healthcare/Public Health) Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services,” the FBI alert says. “These issues will be particularly challenging for organizations within the COVID-19 pandemic.”
Federal agencies “have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” and “are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” the alert said.
The alert named Ryuk ransomware as a likely culprit. A Russian crime organization operates Ryuk ransomware, according to http://www.crowdstrike.org and other anti-cybertheft blogs. Ransomware is a malicious virus that prevents the victim from using its computers until they pay a ransom. Ryuk ransomware operators reportedly extracted an estimated $61 million in 2019 from hospitals, companies and local governments.
UVM Medical Center has not yet blamed its computer problems on ransomware. Here’s what UVMMC said in a statement issued today:
- It’s a serious problem. “The University of Vermont Health Network has experienced a significant and ongoing system-wide network issue.”
The most significant impact mentioned in the statement is “Rescheduling some elective procedures scheduled for Thursday, 10/29, with the hope of resuming procedures on Friday, 10/30…..Access to the MyChart Patient Portal is currently unavailable.”
According to the UVMMC website, “MyChart is the online patient portal associated with Epic, the electronic health record (EHR) used by the UVM Medical Center and the UVM Health Network. An EHR is a real-time, digital version of a patient’s medical record and can be viewed and managed by authorized health providers. EHRs have patient portals that give patients 24/7 online access to their personal health information from anywhere with an Internet connection.”
2. Cyberattack might be the cause. “The Network is investigating all possible causes, including a malicious cyberattack.”
3. They don’t know when the problem will be solved. “We do not currently have a timeline for when systems will be restored.”
Even once the ransom is paid, recovery can be a long process, suggested Jon Lynch, a Colchester software engineer who worked for an electronic health records company for seven years. “Recovering from this will involve far more than just paying the ransom and strengthening security. Every laptop, desktop computer, server, tablet, phone or any other programmable device that has been on the UVMMC network must now be considered compromised and should be completely re-installed from scratch. The ransomware is generally undetectable, and a single infestation on one device will quickly re-infect every machine on the network.”
More information about the ransomware may be found in the FBI (and U.S. Cybersecurity and Infrastructure Security Agency (CISA) and HHS) alert headlined “Ransomware Activity Targeting the Healthcare and Public Health Sector.” It states:
“Since 2016, the cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. What began as a banking trojan and descendant of Dyre malware, now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk. In early 2019, the FBI began to observe new Trickbot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations.”
Ransomware is a malicious virus that prevents the victim from using its computers until they pay a ransom. Ryuk ransomware operators reportedly extracted an estimated $61 million in 2019 from hospitals, companies and local governments.
According to crowdstrike.org, “WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER. This actor is a Russia-based criminal group known for the operation of the TrickBot banking malware that had focused primarily on wire fraud in the past.”
“Historically, ransomware demands are based on the value of the data stolen,” Lynch said. “A small town in Florida (Lake City) in 2019 paid $500k to re-gain access to its town records. If all of UVM patient data has been compromised, the total demand is likely to be millions or tens of millions of dollars. If the hijacker has also encrypted all recent backups, it could be much larger, since there would be no alternative to recover patient charts and billing data.”
MyChart is the second user portal to be in the news this month regarding cyberthreats. As reported in Vermont Daily, the Vermont Secretary of State made changes to security for its My Voter Page after Lynch identified the ease with which “bots” could extract personal information such as date of birth, email address, drivers’ license, name and address, and at least part of the social security number for every registered voter in Vermont.