Ukrainian man pleads guilty in cyberattack that temporarily disrupted major Vermont hospital

LINCOLN, Neb. (AP) —

A Ukrainian man has pleaded guilty to involvement in two separate malware schemes including a cyberattack at the University of Vermont Medical Center in 2020 that temporarily shut down some of its vital services and cost it tens of millions of dollars, according to the U.S. Department of Justice.

Vyacheslav Igorevich Penchukov, also known as Vyacheslav Igoravich Andreev, 37, pleaded guilty Thursday in federal court in Nebraska to one count of conspiracy to break U.S. anti-racketeering law and one count of conspiracy to commit wire fraud.

Records in the case are sealed, so the name of Penchukov’s lawyer was not immediately known Friday.

READ MORE Venezuela bribery witness gets light sentence in wake of Biden’s pardoning of Maduro ally Pennsylvania high court takes up challenge to the state’s life-without-parole sentences Louisiana governor declares state of emergency due to police shortage

Penchukov was accused of helping lead a racketeering enterprise and conspiracy that infected thousands of business computers with malicious software starting in May 2009, and later leading a conspiracy that infected computers with new malware from at least November 2018 through February 2021, according to federal prosecutors.

That allowed other suspicious software, like ransonware, to access infected computers, which is what happened at the University of Vermont Medical Center in October 2020, the Justice Department said.

A hospital official said in 2021 that the attack cost it an estimated $50 million, mostly in lost revenue, while the Department of Justice pegged the losses at $30 million.

The attack “left the medical center unable to provide many critical patient services for over two weeks, creating a risk of death or serious bodily injury to patients,” the Justice Department said in a statement.

According to prosecutors, the cybercriminals also used malicious software to get account details, passwords, personal identification numbers and other information needed to log into online banking accounts.

They then falsely represented to banks that they were employees of the victims and authorized transfers from the accounts, resulting in millions of dollars in losses, the U.S. Department of Justice said.

Penchukov was a fugitive on the FBI’s cyber most-wanted list before he was arrested in Switzerland in 2022 and extradicted to the United States the following year.

He faces up to 20 years in prison on each count when he sentenced May 9.