Ransomware group LockBit apologizes, saying 'partner' was behind SickKids attack
A global ransomware operator issued an apology and offered to unlock the data targeted in a ransomware attack on Toronto’s Hospital for Sick Children, a move cybersecurity experts say is rare, if not unprecedented, for the infamous group.
LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the world’s most active and destructive, issued the brief apology on Dec. 31 to what cybersecurity experts say is the dark web page where it posts about its ransoms and data leaks.
In the statement, reviewed directly by The Canadian Press, LockBit claimed to have blocked the “partner” responsible for the attack and offered SickKids a free decryptor to unlock its data.
“As far as I’m aware, this is the first time they’ve issued an apology and offered to hand over a free decryptor,” said Brett Callow, a British Columbia-based threat analyst with anti-malware company Emsisoft who tracks ransomware attacks.
LockBit has been connected to recent cyberattacks on municipalities in Ontario and Quebec, experts say, and a Russian-Canadian citizen living in Bradford, Ont., was arrested in October for his alleged participation in the group.
U.S. officials allege the group has made at least $100 million in ransom demands and extracted tens of millions from victims.
"They are one of, if not the most active group," Callow said.
“These attacks can sometimes originate much closer to home than we realize. We think the attacks are coming in from Russia or [Commonwealth of Independent States] countries, whereas in some cases they could be originating from within our own border,” Callow said.
SickKids acknowledged Sunday it was aware of the statement and said it was consulting experts to “validate and assess the use of the decryptor.”
The hospital is still recovering from the cyberattack that it said delayed lab and imaging results, knocked out phone lines and shut down the staff payroll system.
As of Sunday, over 60 per cent of its “priority systems” had been brought back online, including many that had contributed to diagnostic and treatment delays, and restoration efforts were “progressing well,” SickKids said.
The hospital previously said it took down two websites it operates on Friday after reporting "potential unusual activity", though it said the activity appeared to be unrelated to the cyberattack.
The hospital continues to be under a Code Grey – hospital code for system failure – issued on Dec. 18 in response to the cyberattack.
Even if SickKids decided to use a LockBit decryptor, experts say the hospital still faces a number of hurdles.
Ransomware groups are good at scrambling files, said Chester Wisniewski, a Vancouver-based principal research scientist with cybersecurity firm Sophos.
"They're not so good at unscrambling them," he said.
Healthcare organizations who use a ransomware group's decryptor, because they paid a ransom or otherwise, recover on average about two-thirds of their files, said Wisniewski, citing a Sophos survey of hundreds of organizations. The protracted and expensive work of decryption is also left to the organization itself, not to mention the cost of hiring third-party experts to review, investigate and rebuild after the hack.
And then there's the issue of LockBit's partner, Callow said.
LockBit operates like a criminal multi-level marketing scheme, experts say, renting out its malware to hacker affiliates in exchange for a cut of any ransom they extort. The LockBit statement says the partner who hit SickKids is no longer part of its program, but it's unclear whether that partner still holds any files that may have been stolen in the SickKids attack, Callow said.
"That data could now be in the hands of someone who is quite pissed off at having been unable to monetize this particular attack," he said.
SickKids says there is "no evidence to date" that personal information was compromised, but experts say they treat those statements with a degree of skepticism until a full investigation is complete.
LockBit's apology, meanwhile, appears to be a way of managing its image, said Wisniewski.
The group is competing with other high-profile malware operators who are also trying to court hackers to use their system to carry out lucrative cyberattacks, he said. Hackers appear to move between the operators frequently.
He suggested the move could be directed at those partners who might see the attack on a children's hospital as a step too far.
"My instinct would be this is more aimed at criminal affiliates themselves trying to not disgust them into switching into a different ransom group," said Wisniewski.
The Canadian Centre for Cyber Security said that though it is aware of the recent cybersecurity incident with SickKids, it doesn't comment on specific events.
A spokesman for the centre, which operates under the federal Communications Security Establishment, said in the statement that cybersecurity incidents remain a persistent threat to Canadian government and non-government organizations, as well as critical infrastructure.
"Generally speaking, the Cyber Centre has noticed an increase in cyber threats during the COVID-19 pandemic, including the threat of ransomware attacks on the country’s front-line healthcare and medical research facilities," said Evan Koronewski.
He said over 400 health-care organizations in Canada and the United States have experienced a ransomware attack since March 2020.
"Cybercriminals typically cast a wide net, not usually against specific targets, seeking a financial profit," said Koronewski. "While the threat to individuals from ransomware remains, other cybercriminals have shifted their tactics, placing more resources into targeting larger and more financially lucrative targets."
LockBit was implicated in an attack on a hospital in France last year where it reportedly asked for millions of dollars to restore the network, Callow said. It has also been connected to recent ransomware attacks targeting the Town of St. Mary’s, Ont., and the City of Westmount, Que., he added.
And in this case, the possible impacts on patient care at a large pediatric hospital can't be overlooked, Callow said.
"Delayed treatment, delayed diagnostics — the impact of those may not be clear until weeks, or months, or years, even, after the event," Callow said.
This report by The Canadian Press was first published Jan. 2, 2023.
Correction
In a Jan. 2 story about a global ransomware operator apologizing for a cyberattack on Toronto's Hospital for Sick Children, The Canadian Press incorrectly reported that a Russian-Canadian citizen who was charged in October for his alleged participation in the group was living in Brantford, Ont., at the time of his arrest. In fact, he was living in Bradford, Ont.
CTVNews.ca Top Stories
Trudeau to announce temporary GST relief on select items heading into holidays
Prime Minister Justin Trudeau will announce a two-month GST relief on select items heading into holidays to address affordability issues, sources confirm to CTV News.
'Ding-dong-ditch' prank leads to kidnapping, assault charges for Que. couple
A Saint-Sauveur couple was back in court on Wednesday, accused of attacking a teenager over a prank.
Border agency detained dozens of 'forced labour' cargo shipments. Now it's being sued
Canada's border agency says it has detained about 50 shipments of cargo over suspicions they were products of forced labour under rules introduced in 2020 — but only one was eventually determined to be in breach of the ban.
DEVELOPING International Criminal Court issues arrest warrants for Netanyahu and Hamas officials
The International Criminal Court issued arrest warrants on Thursday for Israeli Prime Minister Benjamin Netanyahu, his former defence minister and Hamas officials, accusing them of war crimes and crimes against humanity over their 13-month war in Gaza and the October 2023 attack on Israel respectively.
Genetic evidence backs up COVID-19 origin theory that pandemic started in seafood market
A group of researchers say they have more evidence to suggest the COVID-19 pandemic started in a Chinese seafood market where it spread from infected animals to humans. The evidence is laid out in a recent study published in Cell, a scientific journal, nearly five years after the first known COVID-19 outbreak.
2 boys drowned and a deception that gripped the nation: Why the Susan Smith case is still intensely felt 30 years later
Inside Susan Smith’s car pulled from the bottom of a South Carolina lake in 1994 were the bodies of her two young boys, still strapped in their car seats, along with her wedding dress and photo album. Here's how the case unfolded.
REVIEW 'Gladiator II' review: Come see a man fight a monkey; stay for Denzel's devious villain
CTV film critic Richard Crouse says the follow-up to Best Picture Oscar winner 'Gladiator' is long on spectacle, but short on soul.
Donald Trump picks former U.S. congressman Pete Hoekstra as ambassador to Canada
U.S. president-elect Donald Trump has nominated former diplomat and U.S. congressman Pete Hoekstra to be the American ambassador to Canada.
'It changed my life': Montreal-area woman learning how to walk after being hit by stray bullet
A 24-year-old woman is learning how to walk again after being shot while lying in her bed in Repentigny, Que.