This article is more than 1 year old
LockBit: Sorry about the SickKids ransomware, not sorry about the rest
Blame it on the affiliate
Notorious ransomware gang LockBit "formally apologized" for an extortion attack against Canada's largest children's hospital that the criminals blamed on a now-blocked affiliate group, and said it published a free decryptor for the victim to recover the files.
"The partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," LockBit reportedly said on its leak site.
Toronto's Hospital for Sick Children (SickKids) said the "code grey" cybersecurity incident affecting several network systems started at 2130 local time on December 18.
"Upon learning of this incident, we immediately activated the hospital's incident management command center and launched an investigation to determine the nature and scope of the incident," according to a December 19 update on the hospital's website.
"At this time, the incident appears to have only impacted a few internal clinical and corporate systems, as well as some hospital phone lines and webpages," the alert continued. The hospital claimed "there is currently no evidence that personal information or personal health information has been impacted."
As of January 1, SickKids had restored more than 60 percent of its "priority systems" and noted that "restoration efforts are ongoing and progressing well."
In this most recent update, the hospital also said it is aware of LockBit's free decryptor offer. "We have engaged our third-party experts to validate and assess the use of the decryptor," SickKids said, repeating that no personal details or health information had been affected.
"SickKids has not made a ransomware payment," the hospital added.
The LockBit gang has been around since 2019, deploying its malware against high-profile targets in multiple nations. According to US prosecutors, this ransomware strain has been deployed against more than 1,000 organizations, and members of the gang have extracted "tens of millions" of dollars in ransom payments.
Before thinking that the prolific ransomware-as-a-service group has turned over a new, nicer leaf, it's worth remembering the gang's ransomware attack over the summer against France's Center Hospitalier Sud Francilien.
"LockBit were not so charitable when demanding $10k from a hospital in a low-income country nor when dealing with a French hospital," tweeted Emsisoft threat analyst Brett Callow. "Could their actions here be more about self-preservation than compassion?"
More recently, LockBit claimed to have stolen more than 15TB of data from the Housing Authority of the City of Los Angeles (HACLA), and threatened to release the files if the affordable housing agency doesn't pay up.
And while the HACLA hasn't confirmed the security event was, in fact, a ransomware attack, it did confirm a "cyber event" on New Year's Eve disrupted its IT environment.
- LockBit threatens to leak confidential info stolen from California's beancounters
- LockBit gang hit by DDoS attack after threatening to leak Entrust ransomware data
- LockBit ransomware gang claims it ransacked Italy's tax agency
- Ex-CISA chief Krebs calls for US to get serious on security
"We are working diligently with third-party specialists to investigate the source of this disruption, confirm its impact on our systems, and to restore full functionality securely to our environment as soon as possible," an HACLA spokesperson told The Register. "We remain committed to providing quality work as we continue to resolve this issue."
The spokesperson didn't answer any of our specific questions about the incident, including how the criminals breached the network, and what type of data — if any — was stolen in the attack.
Last month, LockBit claimed it was behind a cyber-attack on the California Department of Finance, bragging it stole data during the intrusion. ®