UVM Cyberattack Update

November 4, 2020

Featured

Note: Green Mountain IT Solutions does not provide services to UVM Medical Center and has no affiliation with the hospital.

Last week, I broke the story on the ongoing cyberattack at UVM Medical Center. This week, there are still more questions than answers.

In fact, the lack of information is becoming the defining feature of this event. So far, UVM officials have not confirmed whether the attack was a ransomware event, nor have they announced if the perpetrators are thought to be linked to the so-called UNC1878 group, a.k.a “Wizard Spider”, believed to be behind recent attacks at hospitals around the country.

Then there’s the length of time that systems have been down. As of Tuesday, November 3, it appears that the majority of hospital computer systems remained non-operational, with staff resorting to paper systems. That means it’s been nearly a week that systems have been down. Typically, the cyber-security strategy at a large organization like UVM would include a well-tested Incident Response Plan with a target restoration time of a few days, at most.

Clearly, things are very bad at UVM. But that’s really all we know for now.

So, what can we expect to learn in the coming days? No one can say for sure, but I’ve never let that stop me from wild speculation before! Here’s a few conjectures:

  • Guess #1: The attack will indeed turn out to be ransomware, probaby launched by the UNC1878 group. It would be very coincidental for UVM to experience a devastating cyberattack at the same time as the other hospitals and it NOT be related.
  • Guess #2: Hospital officials are keeping quiet because their legal team, investigators, or both told them to. Again, it’s unusual just how little information has been released by UVM compared to other affected hospitals. I wonder if they’ve lost and/or exposed patient records and have been advised by counsel to keep their mouths sealed. It’s also possible that the FBI, who is investigating the case, has instructed personnel not to share details publicly, possibly to avoid giving potentially useful information to the attackers.
  • Guess #3: Restoration is not going according to plan. So far, UVM IT staff seem to have made little progresss in restoring systems. It’s possible that they are proceeding very deliberately in order to gather evidence and/or ensure that the threat is completely removed from the network, but you’d think that with people’s health on the line they’d have at least some systems back online. This makes me wonder if backups were lost, corrupted, or didn’t exist at all.

I’m sure we’ll find out what’s really going on eventually, but at this point I’m not holding my breath.

Contact Us

Your local Vermont IT experts are just a phone call or email away.

Or send us a message using this form: