At the University of Vermont Medical Center in October, a cyberattack knocked out 5,000 computers on the hospital’s IT network, disrupting everything from its financial systems to its radiology services and sleep studies. Patient care ground to a halt – and the outage lasted for weeks.
“We really did not anticipate the scope or the impact the attack had on our system and how far-reaching it was,” the organization’s president, Dr. Stephen Leffler, told reporters at a December news conference. Staff at the facility had been trained to handle outages of 3 to 5 days at most. What hit UVM Medical Center was far worse: “Thirty days of downtime, going across all systems, was a true challenge for our staff – it was a challenge for our patients.”
UVM Medical Center is one of many health care facilities — in the middle of a global pandemic, no less — to fall victim to ransomware, an increasingly common form of malicious software that criminals use to seize control of computers and often refuse to unlock until the victim pays a fee.
In fact, health care providers were among the most popular targets for ransomware last year, according to new research by the cybersecurity firm Emsisoft. Emsisoft’s review — which is based on public announcements, local media reports and information leaked by hackers on the web — provides the clearest picture yet of the growing threat ransomware poses to the country.
The company’s list shows that as many as 560 health care facilities, 1,681 schools and 113 government agencies at every conceivable level were held hostage by ransomware in the United States last year. The software encrypted computers and other devices so that they couldn’t be used, and in many cases, the hackers would not only lock up the data, but would also steal it.
The attackers didn’t discriminate. They struck from coast to coast, targeting victims in California, Kentucky, Nebraska, Pennsylvania and Virginia, along with many other states. Some like the University of California, San Francisco agreed to pay off their attackers, to the tune of more than $1 million, even as security experts pleaded with victims not to give in for fear of encouraging more attacks.
The epidemic of ransomware couldn’t have come at a worse time. Education and health care workers were already struggling to adapt to quarantines and lockdowns, as well as an explosion of Covid infections that threatened to break the nation’s medical system. Both sectors had also increasingly turned to technology to provide remote learning and health care, in a move that some cybersecurity experts warned early on could lead to new risks and points of failure.
As late as December, UVM Medical Center was still limping along at 70% capacity, restoring systems one by one. In a press conference posted to YouTube, Leffler said the true impact of the attack wouldn’t be known for months — but that it had already cost the medical center $1.5 million a day in lost revenue alone.
Asked for an update on the situation, UVM Medical Center spokesperson Annie Mackin told CNN Business Monday that the organization’s network has “largely recovered,” though there is “some work remaining to complete.” No personally identifiable information or patient health data was lost in the attack, she added.
In the case of victims who refuse to pay up, ransomware attackers have been known to release internal files they’ve stolen. These dumps, some of which were reviewed by both Emsisoft and CNN, have contained everything from arrest records to the financial details of city governments.
Why publish these data troves? Often, they serve as leverage for cyber criminals to extract more money from helpless targets, said Brett Callow, an Emsisoft threat analyst.
“Like any legitimate business, attacking health and education sectors has proved to be profitable,” he said. “They may also be softer targets. In the case of health care, they have unusually large attack surfaces spanning various networks and medical devices.”
In a blog post, Emsisoft said the breaches don’t just represent a momentary inconvenience. The loss of data could come back to haunt many institutions, governments and perhaps consumers for years.
“It is also entirely possible – probable, even – that data was sold to companies’ competitors or passed to other governments,” the company said. “Today’s incidents represent a risk to national security, election security, economic security and to individuals’ privacy, health and safety. It is, therefore, critical that solutions are found.”
In July, the Department of Homeland Security, along with state officials, issued a warning urging leaders in the private sector to safeguard their systems. Create offline backups of critical files, they said, and ensure all systems remain patched and up to date. Don’t allow staffers to click on what may be malicious links or attachments in emails. In September, DHS’s Cybersecurity and Infrastructure Security Agency released a 16-page official guide to ransomware, reflecting the gravity of the threat.
The following month, the Treasury Department took its boldest step yet against ransomware, warning that those who pay hacker ransoms and even those who help victims pay up – such as lawyers, insurance companies or consultants – could be held liable if the payments end up going to a country that is under US sanctions.
But despite US officials’ efforts over the course of the year to raise the alarm, incidents of ransomware continued to pile up, culminating in two attacks that grabbed national headlines: A breach affecting United Health Services, one of the nation’s biggest hospital networks, and one against Tyler Technologies, a software vendor serving many state and local governments.
The attacks came ahead of the presidential election, when some cybersecurity experts worried about the potential for ransomware to cause chaos and confusion around election results. One Georgia county acknowledged in October that its election infrastructure – including a voting precinct map and a voter signature database – had been temporarily disabled by ransomware.
“2020, without a doubt, was the worst year for every chief information officer, and it is absolutely driven by ransomware,” said Kevin Mandia, the CEO of Mandiant, a top cybersecurity firm, at a recent event held by the Aspen Institute.
As the year wound to a close, officials at UVM Medical Center expressed disbelief at the amount of damage a single attack could cause. It’s an experience that an alarming number of institutions can now say they share.
“If you’d told me [that] more than a month later, we’d still have functions that weren’t normal, I would have bet you that you’d be wrong,” Leffler said at the press conference.
Luckily, UVM Medical Center was never confronted with a monetary demand, so it never paid a ransom.
“Our IT staff did find a note, which did not request money, but included instructions to contact the criminals responsible for the attack,” said Mackin. “UVM Health Network leaders did not follow those instructions and instead contacted the FBI.”