Security

Cyber-crime

LockBit shows no remorse for ransomware attack on children's hospital

It even had the gall to set the ransom demand at $800K … for a nonprofit


Ransomware gang LockBit is claiming responsibility for an attack on a Chicago children's hospital in an apparent deviation from its previous policy of not targeting nonprofits.

Stooping to new lows, the criminals are reportedly unwilling to reverse the attack on Saint Anthony Hospital, as they had done in previous cases such as Toronto's SickKids hospital.

What's more, it apparently thinks a nonprofit hospital has the funds to pay a $800,000 ransom. Saint Anthony Hospital has not explicitly stated whether it will or won't pay, but with a sum this large it's highly unlikely that it would ever consider paying, let alone have the funds available to do so.

The deadline for payment has been set at 01:41 UTC on February 2. A $1,000 payment would extend the timer for 24 hours, and $800,000 is the price assigned to the data – that goes for both the destruction of it or the purchase of it by other parties.

Saint Anthony Hospital confirmed the attack via a statement published this week, saying files containing patient information had been copied by an unknown attacker. The hospital didn't specify the nature of the stolen data but confirmed no medical or financial records were accessed.

LockBit's intrusion began on December 18 but the hospital's internal investigation didn't conclude patient data was compromised until January 7. In the meantime, it said it took immediate action to secure its network and ensure patient care remained uninterrupted.

"Saint Anthony holds cybersecurity and the privacy of patient information in its care as top priorities," it said [PDF]. "Our prompt response to this event allowed us to continue providing patient care without disruption.

"As part of Saint Anthony's ongoing commitment to data privacy, we are working to review existing policies and procedures and implement additional ones as needed. Saint Anthony promptly reported this incident to the FBI and is cooperating with their investigation. We also reported this incident to appropriate regulators, including the US Department of Health and Human Services."

As the review of the incident progresses, the hospital said it would notify those it believes are impacted by the data theft. Until then, all patients are advised to remain vigilant to identity or financial fraud attempts and sign up for a free year of credit monitoring.

LockBit had in some previous cases shown a degree of restraint when targeting the likes of hospitals and other nonprofits, yet appears to be loosening the shackles on its affiliates, allowing them to target any organization they're able to breach.

In response to an affiliate that attacked Toronto's SickKids hospital last year, LockBit formally apologized, issued a free decryptor, and supposedly booted that affiliate out of its program for violating the rules.

In a post to its leak blog this week, LockBit said: "Always US hospitals put their greedy interest over those of their patients and clients."

We've been unable to get in touch with the spokesperson for the gang to ask about the attack and shift in approach, but the malware collectors at vx-underground were under the impression that LockBit was either ignorant to the fact Saint Anthony was a nonprofit, or simply didn't care.

Asked about the reasons for the attack, the gang reportedly responded by sending the hospital's financial disclosures, suggesting it either thought it was indeed a corporate entity or confused the meaning of "nonprofit" for an organization that generates zero revenue.

Saint Anthony's website clearly states that it's "an independent, nonprofit, faith-based, acute care, community hospital." So the decision to press ahead with the attack appears to be nothing more than a senseless money grab.

"If you attempt to educate and present information to LockBit administrative staff on nonprofit institution laws in the United States they will state the organization is corrupt and they will imply (directly or indirectly) it is a money laundering operation and the facility is dirty and deserves to be ransomed," said vx-underground.

"In summary: the rules are a facade."

Similar ignorance was demonstrated by LockBit leadership in attacks on the education sector, flippantly responding by saying: "If they have money for computers, they have money to pay me."

Jake Moore, global cybersecurity advisor at ESET, said that cybercriminals will always pursue attacks that align with their business goals.

"Although ransomware gangs may have chosen to avoid organizations such as hospitals and not-for-profits in the past, business is business and criminal goals are no different.

"The evolution of cybersecurity over the last decade has proved that criminal gangs have also had to pivot in terms of how they attack and financially conquer. Ransomware has become a different beast where data has become even more of the focal point in the way it has become a weapon of extortion rather than just relying on an encryption attack followed by ransom demands.

"No one remains safe from these attacks whether they are targeted or caught up in larger campaigns. Companies should never believe they are foolproof due to the nature of their business, nor should they reduce the best possible protection they have to offer." ®

Send us news
42 Comments

Telemetry data from 800K VW Group EVs exposed online

PLUS: DoJ bans data sale to enemy nations; Do Kwon extradited to US; Tenable CEO passes away; and more

How cops taking down LockBit, ALPHV led to RansomHub's meteoric rise

Cut off one head, two more grow back in its place

Atos denies Space Bears' ransomware claims – with a 'but'

Points finger at third-party infrastructure being breached

What do ransomware and Jesus have in common? A birth month and an unwillingness to die

35 years since AIDS first borked a PC and we're still no closer to a solution

Drug addiction treatment service admits attackers stole sensitive patient data

Details of afflictions and care plastered online

Turbulence at UN aviation agency as probe into potential data theft begins

Crime forum-dweller claims to have leaked 42,000 documents packed with personal info

I tried hard, but didn't fix all of cybersecurity, admits outgoing US National Cyber Director

In colossal surprise, ONCD boss Harry Coker says more work is needed

DEF CON's hacker-in-chief faces fortune in medical bills after paralyzing neck injury

Marc Rogers is 'lucky to be alive'

UK ICO not happy with Google's plans to allow device fingerprinting

Also, Ascension notifies 5.6M victims, Krispy Kreme bandits come forward, LockBit 4.0 released, and more

DNA sequencers found running ancient BIOS, posing risk to clinical research

Devices on six-year-old firmware vulnerable to takeover and destruction

More telcos confirm China Salt Typhoon security breaches as White House weighs in

Intrusions allowed Beijing to 'geolocate millions of individuals, record phone calls at will'

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August