Email Security Blog

Phishing Attack Leads to Major Outage at Vermont Hospital

In this season of our discontent, the phishers are out in force, trying to pry open any and every target soft enough to yield. The people cry out, “Why the weakest, most vulnerable, the most selfless, those just trying to help others, the most distracted and hurried, the most understaffed, the least alert to the coming attack, the least able to recover, and, above all, with the most urgent need for their systems?” And the hard answer, my friends, is simply because of all that rather than in spite of it. The phishers aren’t deterred by sympathy; they encouraged by opportunity.

And so it was with the University of Vermont Medical Center, an institution just trying to do the right thing by its patients when it was phished in late October. A single entry into the network, effected by way of a poisoned email, allowed cyberattackers to bring the hospital to its knees by locking the electronic medical record system, as if for ransom, but without the ransom note. The attackers encrypted the hospital’s hard drives, but didn't offer a way out (i.e., the key). A consequence, reported in the New York Times story, was that the staff had to send away (hundreds) of its cancer, heart, and other patients while it scrambled to restore electronic records from handwritten notes and faxes. Everyone's treatment protocol was thrown off. It took a month to restore the systems, and they’re still not entirely back up.

These hackers were apparently Russian operatives retaliating for a U.S. takedown of one of their server farms, TrickBot, which had been the source of numerous ransomware attacks. They were hitting soft targets because they wanted to inflict pain. And Vermont is only one of the 400 hospitals named on an intercepted list of the hackers’ targets.

The Times story goes over in detail the consequences of the attack, what it was like on the ground, how the staff recovered, how the patients reacted. But details about how the attack itself was done were scarce. I emailed one of the writers, who kindly wrote back right away and confirmed that a staff member opening a phishing email is what allowed the attackers to gain access to the whole network. It seems significant that perhaps the single most important event, the moment of breach, didn’t even make it into the story.

Why it is that people don’t take the method of attack seriously is baffling. If you wanted to understand how a house got robbed, you would map out the heist. Analysis would indicate that first the crooks used a crowbar on a weak second-story window latch, then they let themselves in, and, now having the run of the place, pretty much helped themselves to whatever they wanted.

The same is true on many of the most devastating ransomware attacks. It starts with a phish, and once the bad guys are inside via the harvested credentials of that weak email account, they help themselves to whatever is at hand or lock it all down with encryption and ask for money.

Secure email gateways (SEGs) like Barracuda, Cisco, Mimecast, and Proofpoint catch 90% of all phishing emails, which sounds pretty good until your realize that only a single one needs to get through. The best crafted attempts are the hardest to detect. So, even catching 99% isn’t enough, since the most devastating one is going to be in that 1% or even in the last 0.1%.

That’s why all these organizations need to layer INKY Phish Fence on top of their SEG. INKY is designed to ferret out the phish, whatever form they take. Given the huge downside of such an attack, INKY is short money for great value. INKY-as-insurance should be an obvious move for any organization that delivers critical services to the public. Not just hospitals, but school systems, government offices, banks, transportation hubs, and factories can benefit from a filter like INKY that catches all the phish.

Would you like to learn more? Contact INKY and schedule a free demonstration today.


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.