LockBit ransomware group releases decryptor after attacking SickKids hospital

SickKids children's hospital suffers a ransomware attack

Children's Hospital in Toronto attacked by LockBit ransomware

SickKids hospital, also known as The Hospital for Sick Children, is a children's hospital located in Toronto, Ontario, Canada. It is a major teaching hospital affiliated with the University of Toronto and is recognized as a leader in the field of paediatric healthcare. The hospital is known for its research and innovative treatments, and it provides care for a wide range of medical conditions affecting children and adolescents.

However, Toronto's Hospital for Sick Children has announced that a ransomware attack has caused delays in lab and imaging results, and may result in longer wait times. The hospital has indicated that some of its systems may be offline for an extended period of time. The hospital stated in an online statement^[1] that it expects all systems to be operating normally within a few weeks:

While we can confirm this is a ransomware attack, SickKids has been preparing for attacks of this nature, and mobilized quickly to mitigate potential impacts to the continuity of care. We have rapidly engaged with third-party expert organizations and law enforcement to bring a resolution to the situation as quickly as possible.

Urgent, emergent care and scheduled appointments, procedures are continuing as normal, but the ransomware attack caused the clinical teams to experience delays in retrieving lab and imaging results. This may result in longer wait times for patients and their families. The hospital has emphasized that patients and families can continue to communicate with their care teams as usual and that there is no evidence to date that any personal or medical information has been compromised.

LockBit ransomware gang apologizes and offers the decryptor for free

The LockBit ransomware group has apologized for their attack on the hospital and has made a decryptor available at no cost:

We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program

Some groups that use ransomware operate on a “ransomware-as-a-service” model, in which they work with “partners” who specialize in creating and distributing malware to compromise victims' systems. The group and its affiliates then split any payments that the victims agree to make. In some cases, the affiliates may insert the ransomware after compromising a system, while in other cases the ransomware operators have the final say.

Under this arrangement, the LockBit operators retain approximately 20% of all ransom payments, with the remainder going to the affiliates. The ransomware group allows its affiliates to target pharmaceutical companies, dentists, and plastic surgeons but prohibits them from attacking “medical institutions” where such attacks could potentially lead to fatalities. The ransomware operation's policies state:

It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed

The group has claimed that one of its affiliates was responsible for encrypting the hospital's devices and that the affiliate has been removed from the operation and a decryptor has been made available at no cost. However, it is unclear why LockBit did not provide a decryptor earlier, given that the attack has affected patient care and the hospital has been working to restore operations since December 18th.

Ransomware attacks on hospitals in 2022

LockBit has previously encrypted hospitals without providing decryptors, as seen in its attack on the Center Hospitalier Sud Francilien (CHSF) in France,^[2] where the group demanded a ransom of $10 million and ultimately leaked patient data. This attack led to the referral of patients to other hospitals and the postponement of surgeries, which could have posed significant risks to patients.

Also, this is not the first instance in which a ransomware group has offered a free decryptor to a healthcare organization – in May 2021, the Conti Ransomware operation provided a free decryptor to Ireland's national health service, the HSE,^[3] after facing pressure from international law enforcement.

According to an end-of-the-year analysis of ransomware attacks in the US,^[4] Emsisoft reported that 24 American healthcare providers operating 289 hospitals were hit by ransomware in 2022. In these 24 attacks, data, including Protected Health Information (PHI), was exfiltrated in at least 17 cases. The most significant incident of the year was the attack on CommonSpirit Health, which operates nearly 150 hospitals across the US.

The attack resulted in the personal data of 623,774 patients being compromised and caused disruptions at affected hospitals, including a computer system for calculating medication doses going offline at one hospital, leading to a 3-year-old patient receiving a massive overdose of pain medicine, and other hospitals temporarily halting surgery scheduling or redirecting ambulances to other hospitals.