LockBit Ransomware Gang Issues Rare Apology For Attacking SickKids Hospital

ransomware hero
It's not often that malicious actors in the malware and virus space apologize, but that is exactly what happened on New Year's Eve after a ransomware attack targeted a children's hospital system in Canada.

The LockBit ransomware gang found out recently that one of its affiliates breached the rules of the organization by attacking The Hospital for Sick Children, also known as SickKids. The attack was started on December 18th and by December 29th SickKids had reported it had managed to restore 50% of the priority systems. The overall attack, however, did not fully shutdown all operational functions of SickKids. It seemed to only target internal and corporate systems, phone lines, and the organization's web site.

LockBit is a ransomware-as-a-service organization where it holds and maintains encryptors and web sites, while affiliates carry out the actual attacks. LockBit keeps 20% of payments returned on the ransomware attacks, while the rest goes to the affiliate that perpetuates the attack. The policies of LockBit forbit users and affiliates from attacking institutions in which the result could lead to death. While more detailed in their rules, the basic gist is that the operations of hospital are not to be attacked.

sickkids
Photo of front of a SickKids hospital

In order to rectify the situation, LockBit has actually distributed the decryptor to SickKids for the affected systems for free, not accepting any ransom whatsoever. Additionally it has blocked and banned the offending affiliate. This is definitely an interesting turn of events because LockBit attacks have been launched on other hospital institutions around the world where a ransom was still demanded. On January 1, SickKids made a post indicating that it is aware of the decryptor and it is assessing its use. It is, after all, coming from the same organization that enabled the attack, so being wary is important.

The decryptor seems to be specific to Linux/VMWare with no Windows decryption according to the report by BleepingComputer. This indicates that the attacker was only able to target virtual machines.

"We formally apologize for the attack on sickkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program." says the LockBit blog.

screen lock
Image of a computer screen with a lock and chains

Ransomware is no laughing matter. It has caused chaos amongst hospitals, school systems, and even games development companies. It does not look like it is going away soon, but hopefully this sets a precedent for behavior when it comes to affecting peoples health.