Ukrainian man pleads guilty in costly UVM Medical Center ransomware attack

By ALAN J. KEAYS

VtDigger

Published: 02-19-2024 6:12 PM

A Ukrainian man pleaded guilty last week to his role in two separate cyberattacks in the United States, including a hack at the University of Vermont Medical Center in Burlington that a top hospital official said cost the facility about $65 million.

Vyacheslav Igorevich Penchukov, 37, pleaded guilty Thursday in federal court in Nebraska to one count of conspiracy to commit a Racketeer Influenced and Corrupt Organizations (RICO) act offense and one count of conspiracy to commit wire fraud, according to the U.S. Department of Justice.

“Vyacheslav Igorevich Penchukov was a leader of two prolific malware groups that infected thousands of computers with malicious software,” Acting Assistant Attorney General Nicole M. Argentieri stated in a press release.

The attack at the UVM Medical Center in 2020, prosecutors said, “left the medical center unable to provide many critical patient services for over two weeks, creating a risk of death or serious bodily injury to patients.”

Dr. Stephen Leffler, the hospital’s president and chief operating officer, testified before Congress last year about the October 2020 attack, estimating that it cost the hospital about $65 million.

“The extent of the attack was broad,” Leffler said, according to a Vermont Public report.

“We didn’t have internet. We didn’t have phones,” he added. “It impacted radiology imaging, laboratory results. And because the (electronic medical record) had been shut off, appropriately, we didn’t have the EMR for 28 days. We were back to paper.”

Hospital officials reported at the time that no data had been breached as a result of the attack.

Article continues after...

Yesterday's Most Read Articles

Search for missing Dartmouth graduate student ends tragically
Missing Dartmouth student’s body found in Connecticut River
Dartmouth faculty censure of Beilock further highlights divide over response to protest
NH Cold Case Unit searches Newport property
Rivendell superintendent departure adds to district’s challenges
Affordable apartments slated for vacant city-owned land in Lebanon

VtDigger reported on how the attack was carried out, with hospital officials stating an employee took a corporate laptop on vacation and opened a personal email from their local homeowners association.

After the email was opened, cybercriminals installed malware — software intended to cause harm to computer systems — onto the laptop.

When the employee returned to work a few days later and connected to the hospital’s network, attackers were able to use that malware to launch the network-wide attack.

The hospital then reached out to the FBI.

According to prosecutors, Penchukov helped lead a conspiracy that infected computers at various locations in the United States with IcedID, or Bokbot, a sophisticated form of malware, from at least November 2018 through February 2021.

IcedID, according to prosecutors, provided access to the infected computers for the malicious software, including ransomware.

Penchukov, who prosecutors said was on the FBI’s Cyber Most Wanted List in connection with another malware attack dating back to 2009, was arrested in Switzerland in 2022 and extradited to the United States in 2023.

He is set to be sentenced on May 9 and faces a maximum penalty of 20 years in prison on each count.

In the news release, federal prosecutors estimated the cost of the UVMMC cyberattack to be “more than $30 million,” significantly less than the figure provided by Leffler.