One of the world’s most notorious ransomware gangs has issued a rare apology after claiming that one of its partners was responsible for a cyberattack on Canada’s largest pediatric hospital. On December 18th, the Hospital for Sick Children (SickKids) in Toronto fell victim to a ransomware attack that left the institution unable to access many of its critical systems. The incident led to an increase in patient wait times. As of December 29th, SickKids said it had regained access to almost 50 percent of its priority systems, including those that had caused diagnostic and treatment delays.
SickKids is aware of a statement from a ransomware group offering a decryptor to restore systems impacted by the cybersecurity incident on December 18. Read more: https://t.co/clU1IqK7Qhpic.twitter.com/H9S4ERgih7
— SickKids_TheHospital (@SickKidsNews) January 1, 2023
Over the weekend, security researcher Dominic Alvieri spotted an apology from the LockBit gang for its involvement in the incident. The group said it would provide a free decryptor to SickKids and that it had blocked the “partner” who carried out the attack for violating the gang’s rules. As BleepingComputer notes, the LockBit group runs what’s known as a “ransomware-as-a-service” operation. The organization has affiliates that do the dirty work of finding targets to compromise and extract payment from, while the primary operation maintains the malware that partners use to lock systems. As part of that arrangement, the gang takes a 20 percent cut of all ransom payments. Additionally, the group claims to prohibit affiliates from targeting “medical institutions” where an attack could lead to someone’s death.
On Sunday, SickKids acknowledged the statement and said it was working with outside security experts to “validate and assess the use of the decryptor,” adding that it had not made any ransom payments. The hospital also said it recently restored access to about 60 percent of its priority system. It’s unclear why it took the LockBit gang nearly two weeks to offer help to SickKids if the attack was against its code. It’s also worth noting that the group has a history of targeting hospitals and not sending them a decryptor. Earlier this year, for instance, the group demanded a $1 million ransom from the Center Hospitalier Sud Francilien in France and eventually leaked patient data after the hospital refused to pay.