Ransomware Attack on the University of Vermont Health Network

By Edgar Namoca on March 4, 2021

(By: Edgar Namoca on February 3, 2021)

Executive Summary

The most recent and still ongoing attack is the ransomware attack on the University of Vermont (UVM) health network. On October 28, 2020, this cyber-attack was noticed when employees of UVM medical center started to have problems with patient care applications [4]. It was initially thought that there was a problem with the applications, but after investigations, a ransom note was found, and it was clear they were victims of a ransomware attack [5]. The ransom note did not state the amount of money they wanted but instead to contact the adversaries. At no point did UVM consider contacting the attackers as it would have been a wasted effort. On November 24, 2020, seven days after the attack’s initial report, the National Guard cybersecurity unit was sent to accelerate the hospital’s recovery rate [7]. With the assistance of the national guard and other government agencies UVM was able restore 80% of the medical center’s applications and functions. Due to good protection of data use and data storage, UVM is confident that no patient personal data was stolen.

Technical

Ryuk is an additional piece of ransomware that is deployed and activated on a target that is deemed suitable for adversaries to attack. Before Ryuk is deployed and executed, the malware known as TrickBot must first be downloaded and executed on a victim’s computer. This malware will make it onto a computer through fake Microsoft documents. Attackers will embed a macro that will download and execute TrickBot on the computer upon opening the Microsoft document. Once on the computer, adversaries will have backdoor access to the computer, and they will begin pivoting through the network identifying critical infrastructure and devices. Once the adversaries have identified which computers they wish to attack, they will start downloading and executing Ryuk on said devices. When Ryuk is executed it will search for all shadow files and backups of the affected device and being to remove them. Once all backups are removed Ryuk will then begin encrypting all files on the device with (Rivest-Shamir-Adleman) RSA and AES (Advanced Encryption Standard) encryption methods. When Ryuk is finished encrypting the system, it will leave a ransom note demanding money; however, in the case of UVM, adversaries asked for an open line of communication instead.

Impact

This initial attack of this ransomware led to the loss of services to patient care applications. The loss of services was increased as their IT shut down its network to reduce the spread of the ransomware. During the attack, a total of 5,000 hospital laptops and computer were encrypted along with 1,300 servers being used by UVM [8]. To mitigate possible persistence of the malware UVM was forced to wipe all affected devices and to reinstall needed data and software. On December 8, 2020, UVM Medical Center President stated that they are losing $1.5 million per day in revenue and extra expenses. At that time, the losses totaled more than 63 million dollars. During this outage, UVM medical center had to furlough 300 employees who were unable to perform their duties because of the outage.

Importance

In the year 2020, the health and public health (HPH) sector has been the biggest target for cybercrime. On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released an alert containing information on common tools, techniques, and protocols of adversaries who are targeting the health care sector. The advisory was released after the breach of the University of Vermont (UVM) Health network and the Universal Health Services (UHS)[2]. In both cases, these two networks were victims of ransomware attacks. These ransomware attacks are only being carried out after the malware TrickBot, or BazarLoader is executed on a computer [1]. This malware was created and maintained by the advanced persistent threat group (APT) UNC1878 [3].

Conclusion

In summary, the HPH sector has become the number one target for adversaries. With the COVID-19 pandemic forcing more people to work at home, causing the industry’s attack surface to increase rapidly. With the increase of attack surface, it is essential to reassess the vulnerability of our critical infrastructure. We as security experts should be addressing what activities can be carried out and performed outside of the companies private network and only letting employees access what is critical to operations. It is true that following NIST and HIPPA guidelines and rules that these hospitals were able to protect the data of their patients; however, while dealing with the attack, patient care was brought to a halt and slowed, possibly denying patients of vital care. Doing things such as shutting down your network and computers to prevent further spread is not the best approach to mitigating these issues. Going into 2021, we should focus on creating better and updated cyber threat response plans to resolve better any problems that a cyber-attack may cause to reduce response time and the decision-making process.

Resources

[1] https://us-cert.cisa.gov/ncas/alerts/aa20-302a

[2] https://blog.checkpoint.com/2021/01/05/attacks-targeting-healthcare-organizations-spike-globally-as-covid-19-cases-rise-again/

[3] https://heimdalsecurity.com/blog/ryuk-ransomware/#:~:text=According%20to%20various%20cybersecurity%20researchers,the%20criminal%20mastermind%20behind%20TrickBot.

[4] https://www.burlingtonfreepress.com/story/news/2020/12/22/cyberattack-uvm-medical-center-likely-ransomware/4012863001/

[5] https://www.beckershospitalreview.com/cybersecurity/the-5-most-significant-cyberattacks-in-healthcare-for-2020.html

[6] https://www.beckershospitalreview.com/cybersecurity/national-guard-cybersecurity-team-deployed-to-uvm-health-4-details.html?utm_campaign=bhr&utm_source=website&utm_content=related

[7] https://governor.vermont.gov/press-release/vermont-army-national-guard-cyber-response-team-support-uvm-health-network-response
[8] https://www.beckershospitalreview.com/cybersecurity/inside-uvm-medical-center-s-ransomware-attack-11-details.html