The leader of two well-known malware groups pled guilty this month to leading a ransomware attack on the University of Vermont Medical Center that cost the provider $65 million alone and left it unable to provide many critical care services for over two weeks.

Vyacheslav Igorevich Penchukov, who was arrested in Switzerland in 2022 and extradited to the U.S. in 2023, was charged in the Eastern District of North Carolina with one count of conspiracy to commit wire fraud for his role as leader of the IcedID malware group.

The malware group attacked the University of Vermont Medical Center in October 2020, using IcedID to steal personal information from individuals and provide other forms of malicious software, including ransomware, access to infected computers.

"We didn't have internet. We didn't have phones. It impacted radiology imaging, laboratory results. And because the [electronic medical record] had been shut off, appropriately, we didn't have the EMR for 28 days. We were back to paper,” UVM Medical Center president Dr. Stephen Leffler told local news outlet Vermont Public.

The shutdown of medical services risked death or serious bodily injury to patients, according to Leffler. He said that while shutting down the systems protected hospital and patient information, the cyberattack was "much harder than the pandemic by far."

The group used IcedID between at least November 2018 and February 2021 to steal information, including bank account credentials. But this was not Penchukov’s first cyber offense. He previously led a racketeering enterprise and conspiracy that infected thousands of business computers in May 2009 with Zeus, a malicious software that steals bank account information, passwords, personal identification numbers, and other data for logging into online bank accounts.

He and his co-conspirators then falsely represented themselves to banks as employees of their victims and that they were authorized to transfer funds from the victims’ bank accounts, resulting in millions of dollars in losses. They also relied on U.S. residents as money mules to receive wired funds from victims’ bank accounts into their own and then withdraw and wire the money overseas to accounts controlled by Penchukov’s co-conspirators.

Penchukov pleaded guilty to one count of conspiracy to commit a Racketeer-Influenced and Corrupt Organizations (RICO) Act offense for his role as leader in the Zeus enterprise. For these offenses, he was charged in the District of Nebraska and added to the FBI’s Cyber Most Wanted List.

“Before his arrest and extradition to the United States, the defendant was a fugitive on the FBI’s most wanted list for nearly a decade. Today’s guilty pleas should serve as a clear warning: the Justice Department will never stop in its pursuit of cybercriminals,” said Acting Assistant Attorney General Nicole Argentieri of the Justice Department’s Criminal Division, in a statement.

Penchukov is due to be sentenced on May 9 and faces a maximum penalty of 20 years in prison for each count against him.

The FBI Omaha and Charlotte Field Offices are investigating the case.

Cyber Security Homepage