LockBit apologizes for ransomware attack on hospital, offers decryptor

LockBit, a prominent ransomware-as-a-service (RaaS) operation, has apologized for an attack on the Toronto-based Hospital for Sick Children, also known as SickKids, and offered a free decryptor. 

SickKids, a major pediatric teaching hospital, announced on December 19 that it had called a Code Grey system failure, as it was responding to a cybersecurity incident that was affecting several network systems at the hospital.

The incident impacted some internal clinical and corporate systems, as well as hospital phone lines and web pages. On December 29, SickKids said that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays.

On December 31, however, LockBit issued a statement apologizing for the attack and offering a free decryptor for the ransomware used in the operation. “We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” according to the statement, which was first noted by security researcher Dominic Alvieri. 

The file appears to be a Linux/VMware ESXi decryptor, according to Bleeping Computer. 

The LockBit creators rent out their ransomware to third parties called affiliates, and control the program’s encryptors and data-leak websites. The ransomware is used by affiliates to breach networks, and steal or encrypt data, for a cut of up to 75% of the money paid by victims as ransom.

LockBit says it will not attack hospitals 

The group, though, has a policy against targeting organizations operating in the healthcare, education, charity and social services sectors, according to a 2021 public interview with an alleged LockBit gang member.

Meanwhile, SickKids has confirmed that it is aware of the statement issued by the  ransomware group and the offer of a decryptor. “We have engaged our third-party experts to validate and assess the use of the decryptor,” the hospital said on January 1.

By then, SickKids said, it had already restored over 60% of priority systems, and  restoration efforts were ongoing and progressing well. There was no evidence that personal information or personal health information has been impacted, and SickKids had not made a ransomware payment, the hospital said.

LockBit affiliates have not always adhered to its policy against targeting hospitals. For example, in August last year,  LockBit was used against the Center Hospitalier Sud Francilien (CHSF) and a $10 million ransom was demanded. The patient data was subsequently leaked after the hospital refused to pay. 

Otherwise, LockBit has emerged as the top ransomware gang, with version 3.0 of its ransomware becoming the leading ransomware strain in the third quarter of 2022.

Its activities continue. On December 25, The Port of Lisbon was targeted by LockBit, though the port said no operational activity was compromised. LockBit has already published a ransom note demanding $1.5 million on its official site within the Tor darknet. The ransom note needs to be paid by January 18, the gang said.