The LockBit ransomware-as-a-service operation said it is against its rules to attack medical institutions, but the ransomware gang's affiliates do not always adhere to this policy. Credit: iStock LockBit, a prominent ransomware-as-a-service (RaaS) operation, has apologized for an attack on the Toronto-based Hospital for Sick Children, also known as SickKids, and offered a free decryptor. SickKids, a major pediatric teaching hospital, announced on December 19 that it had called a Code Grey system failure, as it was responding to a cybersecurity incident that was affecting several network systems at the hospital.The incident impacted some internal clinical and corporate systems, as well as hospital phone lines and web pages. On December 29, SickKids said that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays. On December 31, however, LockBit issued a statement apologizing for the attack and offering a free decryptor for the ransomware used in the operation. “We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” according to the statement, which was first noted by security researcher Dominic Alvieri. The file appears to be a Linux/VMware ESXi decryptor, according to Bleeping Computer. The LockBit creators rent out their ransomware to third parties called affiliates, and control the program’s encryptors and data-leak websites. The ransomware is used by affiliates to breach networks, and steal or encrypt data, for a cut of up to 75% of the money paid by victims as ransom. LockBit says it will not attack hospitals The group, though, has a policy against targeting organizations operating in the healthcare, education, charity and social services sectors, according to a 2021 public interview with an alleged LockBit gang member.Meanwhile, SickKids has confirmed that it is aware of the statement issued by the ransomware group and the offer of a decryptor. “We have engaged our third-party experts to validate and assess the use of the decryptor,” the hospital said on January 1.By then, SickKids said, it had already restored over 60% of priority systems, and restoration efforts were ongoing and progressing well. There was no evidence that personal information or personal health information has been impacted, and SickKids had not made a ransomware payment, the hospital said.LockBit affiliates have not always adhered to its policy against targeting hospitals. For example, in August last year, LockBit was used against the Center Hospitalier Sud Francilien (CHSF) and a $10 million ransom was demanded. The patient data was subsequently leaked after the hospital refused to pay. Otherwise, LockBit has emerged as the top ransomware gang, with version 3.0 of its ransomware becoming the leading ransomware strain in the third quarter of 2022.Its activities continue. On December 25, The Port of Lisbon was targeted by LockBit, though the port said no operational activity was compromised. LockBit has already published a ransom note demanding $1.5 million on its official site within the Tor darknet. The ransom note needs to be paid by January 18, the gang said. Related content news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events feature 3 Windows vulnerabilities that may not be worth patching Some vulnerabilities eat up a security team’s time and resources yet provide little or nothing in the way of true protection. Some may even introduce more risk to a network. By Susan Bradley May 01, 2024 7 mins Windows Security Patch Management Software Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe