In a New Year’s Eve apology, the LockBit ransomware gang has expressed regret for attacking Toronto’s Hospital for Sick Children and sent a free decryptor so files can be unscrambled.
According to Brett Callow, a B.C.-based threat analyst for Emsisoft, the gang posted a message on its site claiming the attack was the work of an affiliate and violated their rules.
“We formally apologize for the attack on sickkids.ca and give back the decryptor for free,” the note says. “The partner who attacked this hospital violated our rules, is blocked, and is no longer in our affiliate program.”
UPDATE: On Sunday evening (Jan. 1) SickKids issued a statement saying its third-party IT recovery advisors are assessing the decryptor. It also notes that IT restoration efforts “are progressing well … As of January 1, SickKids has already restored over 60 per cent of priority systems; restoration efforts are ongoing and progressing well. There is no evidence to date that personal information or personal health information has been impacted. SickKids has not made a ransomware payment.”
Some ransomware groups run on a ransomware-as-a-service model with so-called partners who specialize in developing — and spreading — malware for the initial compromise of a victim, leaving the ransomware developers to focus on their encryption code. The gang and the affiliate come to an agreement on splitting any payments the victims agree to make. In some models the affiliate will insert the ransomware after a compromise, and in other models the ransomware operators have the final say.
“This is not an act of compassion; it’s one of self-preservation,” Callow said in an email. “LockBit has attacked hospitals in the past, and will likely do so again. Why did they offer a free decryptor in this case? Probably because they believe an attack like this makes it harder for them to collect payment from future victims. Companies would not want to be seen to be handing money to – and so financially supporting – the type of cybercriminals who would launch an attack on a hospital for sick kids.”
In a tweet, Callow also noted it’s not the first time a ransomware group has given a victim help. In 2021 the Conti ransomware gang made a decryptor available after an attack that crippled Ireland’s Health Services Executive (HSE). However, the code was described as flawed and buggy. And in 2020 the DoppelPaymer group reportedly sent a decryptor after a German hospital was hit.
The apology to SickKids came 13 days after the internationally-recognized hospital was struck by ransomware, affecting a number of systems.
Last week, in its most recent status update, the hospital said almost half of priority systems have been successfully restored following the Dec. 18 ransomware attack. That includes many of the systems that would have contributed to diagnostic and/or treatment delays. Patients and families should still be prepared for potential delays as work continues to bring all systems back online, the hospital added.
The hospital has been asked to comment on whether the decryptor will be useful — or trusted.
According to researchers at BlackBerry, the LockBit strain is among the most active ransomware in the world. The average ransomware payment is nearly US$1 million per incident, LockBit victims pay an average ransom of approximately $85,000 — suggesting that LockBit targets small-to-medium-sized organizations.
LockBit seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, insider access, and zero-day exploits, says BlackBerry. “Second-stage” LockBit establishes control of a victim’s system, collects network information, and achieves primary goals such as stealing and encrypting data.
LockBit attacks typically employ a double extortion tactic to encourage victims to pay, says the research, first, to regain access to their encrypted files, and then to pay again to prevent their stolen data from being posted publicly. When used as a Ransomware-as-a-Service (RaaS), an Initial Access Broker (IAB) deploys first-stage malware or otherwise gains access within a target organization’s infrastructure. They then sell that access to the primary LockBit operator for second-stage exploitation.
While some threat actors claim they avoid targeting hospitals, it still happens either through carelessness or indifference. One of the biggest recent attacks was recently divulged by Lake Charles Memorial Health System in Louisiana, which said in October a hacker stole patient data. According to The Record, the personal information of nearly 270,000 current and former hospital patients was copied. According to Bleeping Computer, the Hive ransomware gang is taking credit.
In an end-of-the-year analysis of ransomware attacks in the U.S., Emsisoft said 24 American healthcare providers operating 289 hospitals were hit by ransomware in 2022. In those 24 attacks, data — including Protected Health Information (PHI) — was exfiltrated in at least 17 cases.
The most significant incident of the year was the attack on CommonSpirit Health, which operates almost 150 hospitals across the U.S.. The Emsisoft report notes the ransomware attack on CommonSpirit Health resulted in the personal data of 623,774 patients being compromised. In one of the affected hospitals, a computer system for calculating doses of medication was offline and, as a result, a 3-year-old patient was reported to have received a massive overdose of pain medicine. Other affected hospitals temporarily stopped scheduling surgeries or had to redirect ambulances to other hospitals.