"Ashamed" LockBit ransomware gang apologises to hacked school, offers free decryption tool

Is it possible ransomware gangs actually do have a heart?

Last month, a school district in Illinois was reported to be working closely with a cybersecurity insurance firm to determine the extent of damage it had sustained from a ransomware attack.

Olympia Community Unit School District 16 - the largest school district in Illinois, covering some 377 square miles - realised on Sunday February 26, 2023, that it had suffered a ransomware attack, after being targeted by an affiliate of the notorious LockBit ransomware group.

In due course, LockBit's leak site on the dark web began to count down to 12 April, when it said it would release all of the exfiltrated data - unless a ransom was paid.

LockBit, like many other ransomware operations, offers what is effectively a ransomware-as-a-service (RaaS) business. It allows affiliates to deploy its ransomware, and use its infrastructure, when launching extortion attacks against businesses and organisations.

Effectively, RaaS operations like LockBit put the ability to launch ransomware attacks into the hands of anyone who is approved to become an affiliate, meaning that digital extortion is not exclusively the province of tech-savvy nerds who have no qualms about breaking the law. Anyone can launch a ransomware attack.

But that's not to say that criminal groups like LockBit don't have certain standards which they ask their "partners" to meet.

In this instance, it appears that the affiliates who launched the ransomware attack against Olympia Community Unit School District 16 (Olympia CUSD16 for short) are not in LockBit's good books, as the group has expressed remorse for the hacking into servers used by innocent school children.

LockBit's admin updated its leak site with an apology to the school district, offering a free decryption key, and claimed that the affiliate responsible had been barred from using the ransomware in future:

"Please forgive me for allowing the attack on small innocent children, the stolen data has been deleted, to get the decryptor please give me the decryption id. I am very ashamed, but I can not control all partners, anyone can join my affiliate program as well as break the rules, I have blocked this partner."

I don't believe that empathy and human decency is something that is commonly encountered inside ransomware gangs, as they have spent years profiting from the misery and hardship of others. But I am pleased, on this occasion at least, that LockBit appears to have thought again and lessened the pain of the school district, its staff, and pupils.