The LockBit ransomware gang, a Ransomware-as-a-Service operation, provided a free decryptor to the Hospital for Sick Children (SickKids) located in Toronto, Ontario, Canada. An affiliate of the ransomware operation “violated rules” by attacking the healthcare operation, and LockBit issued a public statement and free decryptor to the SickKids hospital in response.
The SickKids hospital suffered from a ransomware attack on December 18, impacting its internal and corporate systems, phone lines, and causing delays in lab and imaging results. It also resulted in longer patient wait times.
By December 29, SickKids announced that it had restored 50% of its priority systems, including those causing the aforementioned delays in diagnostics and treatment.
LockBit issues free ransomware decryptor to SickKids Hospital
As reported by BleepingComputer and threat intelligence researcher Dominic Alvieri, two days after the latest update from SickKids, the LockBit ransomware gang apologized for the attack. They then issued a free decryptor for the ransomware attack.
“We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” stated LockBit.
Breaking
— Dominic Alvieri (@AlvieriD) December 31, 2022
LockBit offers decryptor for free.
LockBit affiliate breach violated their rules for The Hospital for Sick Children and offers the decryptor for free.
/sickkids.ca@CBC @globeandmail #cybersecurity #infosec #LockBit @BleepinComputer @TheRecord_Media pic.twitter.com/5k54IkPUIX
Ransomware-as-a-Service is an increasingly common practice, as it allows ransomware creators to essentially license out their ransomware to other cybercriminal gangs. The ransomware creators retain 20% of all ransom payments, while the remaining 80% goes to the affiliate, per BleepingComputer.
But LockBit has some redlines, and attacking medical institutions where attacks could lead to death is one.
“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed,” says LockBit.
However, stealing data from any medical institution is permitted according to their policies.
The Federal Bureau of Investigation provided LockBit ransomware technical details and defense tips back in February of 2022.
LockBit has been in operation since September 2019 according to the FBI.
It’s unknown why there was a significant delay in providing the decryptor by LockBit to the SickKids hospital.
