Hackers Apologize for Attack on Hospital for Children

The LockBit ransomware operation is offering free decryption keys to a distraught children’s hospital in Canada after one of the gang’s affiliates violated the hackers’ code of ethics that prohibits attacks on healthcare.

SickKids is Canada’s largest hospital for children and, as the country’s most research-intensive hospital, is “dedicated to improving children's health,” according to the institute’s About page. The organization is affiliated with the University of Toronto.

On Dec. 19, SickKids issued a statement informing anyone and everyone concerned that a cybersecurity incident was disrupting the hospital’s operations.

The attack hit internal clinical and corporate systems, as well as some hospital phone lines and web pages. After activating downtime procedures, the hospital called in its incident management command center to determine the nature and scope of the incident.

Three days later, Sick Kids issued another statement confirming it had fallen victim to a ransomware attack – despite having prepared in advance for such a scenario.

Hackers undo their deed

Almost two weeks after the hackers left their mark on SickKids, the LockBit operation – which claimed responsibility for the attack – issued an apologetic statement saying that one of its affiliate hackers violated the crew’s ethics code regarding healthcare institutions. The group said it would fire the rogue affiliates, as shared by databreaches.net.

Image credits: databreaches.net

The LockBit gang, much like other ransomware operations, uses the ransomware-as-a-service model – it develops, maintains and sells hacking tools to affiliates who do all the legwork and pay the group’s leaders a fee for every successful attack. However, unlike other hacking groups, LockBit operators try to avoid hitting the healthcare sector – or at least so they claim – to prevent life-threatening scenarios. According to reports, there is at least one instance where the group didn’t abide by its own rules.

Experts to assess the decryptor before use

In a Jan. 1 update, SickKids acknowledged that its aggressors were offering a free decryptor to restore systems impacted by their operation.

“The Hospital for Sick Children (SickKids) is aware of the statement issued online by a ransomware group that included an offer of a free decryptor to restore systems impacted by the cybersecurity incident,” the hospital said. “We have engaged our third-party experts to validate and assess the use of the decryptor.”

SickKids claims it has so far restored over 60% of “priority systems,” and that ongoing restoration is progressing well.

‘No evidence’ of data leaks

The hospital also claims “there is no evidence to date that personal information or personal health information has been impacted,” adding that it has “not made a ransomware payment.”

As is the case with most ransomware attacks, the data hackers accessed during the breach is almost guaranteed to be impacted in one way or another. It remains to be seen if LockBit operators – and, more importantly, its affiliates – stick to their promised conduit.

SickKids, for its part, promises to share further updates on its website at sickkids.ca and via Twitter @SickKidsNews.