LockBit ransomware group 'apologizes' for children's hospital cyberattack

In a statement about its attack on Toronto-based SickKids, the cybercrime affiliate also offered a decryptor. Healthcare cybersecurity experts question whether the move was ethically motivated, or meant to enhance LockBit's recruitment image.
By Andrea Fox
09:55 AM

Photo: "Data Security," Visual Content/Flickr, licensed under CC BY 2.0

The Hospital for Sick Children announced on New Year's Day that it was aware of a statement issued by a ransomware group with an apology and an offer of a free decryptor to restore systems impacted by ransomware.

WHY IT MATTERS

On December 18, 2022, SickKids was hit with ransomware and operations went to "Code Grey," according to an announcement on the hospital's website. 

"Clinical teams are currently experiencing delays with retrieving lab and imaging results, which may cause longer wait times for patients and families," the hospital said on December 22.

Other affected systems included employee timekeeping and pharmacy submissions. 

On December 29, the Toronto hospital announced that nearly half of the affected systems had been restored.

According to Globalnews.ca, the LockBit ransomware group that provides affiliates access to malware for a cut of the ransom profits then issued an apology on the dark web on the last day of the year, which was then posted to Twitter.

In the statement, the ransomware organization allegedly blamed a partner and offered a free decryptor for the hospital to unlock its data.

Even with a ransomware group's decryptor, healthcare organizations only recover on average about two-thirds of their files, said Chester Wisniewski, a Vancouver-based principal research scientist with Sophos, according to the news report

Affiliates have a tendency to scramble data, he said.

The purpose of LockBit's now-viral statement could be to discourage other affiliates that might see attacking a children's hospital as an overstep from defecting to another ransomware group, Wisniewski added.

SickKids posted an additional statement to its website that it was aware of the group's apology and is analyzing the decryptor. The hospital also said it did not make a ransom payment, and that there is no evidence to date that personal information or personal health information has been impacted. 

Brett Callow, a threat analyst with anti-malware company Emsisoft, told the Canadian newsgroup that there is still the question if the allegedly cut-off LockBit affiliate partner still has the hospital's data.

A spokesman from the Communications Security Establishment noted in the story that more than 400 healthcare organizations in Canada and the United States have experienced a ransomware attack since March 2020.

THE LARGER TREND

In 2021, the Health Sector Cybersecurity Coordination Center released a 31-page briefing on LockBit, its launch of the LockBit 2.0 affiliate program and its recruiting efforts for its ransomware-as-a-service program.

"The only thing you have to do is to get access to the core server, while LockBit 2.0 will do all the rest," according to LockBit's documentation that HC3 had obtained.

Through an interview with a LockBit ransomware operator, the cybersecurity arm of the U.S. Department of Health and Human Services indicated that the cyber gang has a measure of ethics. 

It won't operate in certain states like Belarus and Russia for having "a contradictory code of ethics," and may have disdain for those who attack healthcare entities, said HC3.

However, "While threat actors may state publicly that their personal ethics influence their target selection, many adversaries go after the easiest victims regardless of any moral obligation, based on our experience," according to the briefing.

Healthcare cybersecurity experts encourage the industry to fight cybercrime-as-a-service with security collaboration because lives – like those at SickKids – suffer the diversions of care that inevitably follow ransomware attacks. 

ON THE RECORD

"These attacks can sometimes originate much closer to home than we realize," Callow told Canadian news. 

"We think the attacks are coming in from Russia or Commonwealth of Independent States countries, whereas in some cases they could be originating from within our own border," he said, noting that LockBit malware was connected to recent ransomware attacks on two small municipal governments – St. Mary’s, Ontario, and Westmount, Quebec.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.