The Hospital for Sick Children (SickKids) has received a free decryptor from the LockBit ransomware gang after one of its members allegedly broke the law by attacking the hospital. SickKids is a Toronto-based teaching and research hospital that specializes in treating unwell children.
The hospital faced a ransomware attack on December 18 that affected internal and corporate systems, hospital phone lines, and the website. Even though a few systems were encrypted, SickKids claimed that the event lengthened patients’ wait times and delayed the delivery of lab and imaging findings. SickKids said on December 29 that it had restored 50 percent of its priority systems, including those delaying diagnoses or treatments.
Two days after SickKids’ most recent declaration, the LockBit ransomware group apologized for the attack on the hospital and provided a free decryptor, as first observed by threat intelligence expert Dominic Alvieri.
“We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” said the ransomware organization.
It has been proven that this file, which advertises itself as a Linux/VMware ESXi decryptor, is freely accessible. The lack of a second Windows decryptor suggests that the attacker was limited to encrypting virtual machines connected to the hospital’s network. The LockBit operation functions as a Ransomware-as-a-Service, in which the operators manage the encryption tools and websites while the operation’s associates, or members, infiltrate victims’ networks, steal data, and encrypt equipment.
In accordance with this agreement, the affiliate receives the majority of ransom payments, with the LockBit operators keeping about 20% of each. The ransomware operation permits its affiliates to encrypt dental offices, plastic surgery practices, and pharmaceutical firms but forbids them from encrypting “medical institutions” where attacks may result in fatalities.
“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed,” as per the policies of ransomware operation.
The regulations allow for the theft of data from any medical institution. The hospital’s equipment was allegedly taken out of service after being encrypted by one of the ransomware group’s affiliates, and a decryptor was made available without charge. However, this does not clarify why, given the impact on patient care and SickKids’ efforts to resume operations after the 18th, LockBit did not offer a decryptor earlier.
As seen by its cyberattack on the France’s Center Hospitalier Sud Francilien (CHSF), where a $10 million ransom was sought, and patient data was disclosed, LockBit has a history of encrypting hospitals and failing to provide encryptors. Due to the attack on the French hospital, patients were transferred to other hospitals and procedures were delayed, putting them at serious risk.
The media had contacted LockBit to learn why they were asking CHSF for a ransom, but they never heard back. This isn’t the first time a ransomware group has given a healthcare organization a free decryptor. In May 2021, the Conti Ransomware operation gave a free decryptor to Ireland’s national health agency, the HSE, following rising pressure from international law enforcement.