LockBit apologises for ransomware attack on SickKids, releases free decryptor

The infamous LockBit ransomware gang has issued an apology for attacking the Canadian pediatric hospital SickKids and has released a free decryptor for the hospital.

SickKids, a leading Canadian pediatric hospital, suffered a ransomware attack on December 18 that compromised several internal network systems and caused long wait times for patients. Soon after identifying the security incident, the hospital immediately called a “Code Grey – system failure”.

The hospital authorities activated the hospital’s incident management command centre and launched an investigation to understand the nature and scope of the security incident. Also, relevant law enforcement authorities were informed about the incident.

While the hospital authorities continued with the urgent and emergent care as well as scheduled appointments and procedures, clinical teams were experiencing delays in retrieving lab and imaging results which caused longer wait times for patients and families. Also, the usual process for sending prescriptions was affected and downtime methods were being used by the hospital.

On December 29, SickKids said that it restored almost 50 percent of priority systems, including several systems that would have contributed to diagnostic and treatment delays.

“While system restoration is occurring quicker than originally anticipated, we do not have a timeline for when all systems will be restored and the Code Grey will be lifted. The hospital’s Information Management Technology (IMT) team as well as clinical and operational teams are manually testing and validating impacted systems before they can be fully operational,” SickKids said.

The notorious LockBit ransomware gang, who claimed responsibility for the ransomware attack on SickKids, apologised for attacking SickKids and explained that the threat actor who launched the attack on the hospital, violated the groups’ policies and was subsequently removed from its ransomware-as-a-service affiliate programme.

In a tweet, Emsisoft threat analyst Brett Callow reposted LockBit’s statement which read as follows:

 

“We formally apologise for the attack on sickkids.ca and give back the decryptor for free. The partner who attacked this hospital violated our rules, is blocked, and is no longer in our affiliate program.”

According to the ransomware gang’s policies, affiliates need to “very carefully and selectively attack medical-related institutions such as pharmaceuticals companies, dental clinics, plastic surgeries.”

“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals, and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed.”

While it’s great to see such humane action from a group of cyber criminals, LockBit does have a history of attacking healthcare organisations and not providing decryptors, demanding a ransom, and eventually leaking patients’ data. Such an incident was seen in 2022 when in August, the LockBit ransomware gang attacked Center Hospitalier Sud Francilien (CHSF), a major hospital in France, demanding a $10 million ransom, and eventually leaking the stolen data.