Toronto’s Sick Kids Hospital Pwned By Ransomware…. But The Ransomware Provider Apologizes And Provides Free Decryption Software

We do indeed live in strange times. I say that because just before the holidays The Hospital For Sick Children which is also known as Sick Kids Hospital in Toronto was pwned by ransomware:

The Hospital for Sick Children (SickKids) is currently responding to a cybersecurity incident affecting several network systems and has called a Code Grey – system failure. The code went into effect at 9:30 p.m. on Sunday, December 18, and is ongoing.

The safety and well-being of our patients and their families is our top priority. All patient care is continuing and there is currently no evidence that personal information or personal health information has been impacted.

Upon learning of this incident, we immediately activated the hospital’s incident management command centre and launched an investigation to determine the nature and scope of the incident. At this time, the incident appears to have only impacted a few internal clinical and corporate systems, as well as some hospital phone lines and webpages. Downtime procedures have been activated where needed.

Now that’s pretty bad. But there is a plot twist. The ransomware used was LockBit which is ransomware as a service. Or put another way, if you pay LockBit, you can use their ransomware to pwn your target. The thing is that that according to Bleeping Computer, LockBit has terms of service, and whomever launched this attack on Sick Kids violated those terms of service:

As first noted by threat intelligence researcher Dominic Alvieri, two days after SickKids’ latest announcement, the LockBit ransomware gang apologized for the attack on the hospital and released a decryptor for free.

“We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” stated the ransomware gang.

As for the terms of service the “partner” violated, here they are:

While the ransomware operation allows its affiliates to encrypt pharmaceutical companies, dentists, and plastic surgeons, it prohibits its affiliates from encrypting “medical institutions” where attacks could lead to death.

“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed,” explains the ransomware operation’s policies.

The stealing of data from any medical institution is allowed per the policies.

According to the ransomware gang, as one of its affiliates encrypted the hospital’s devices, they were removed from the operation, and a decryptor was offered for free.

I have to admit that I have never heard of this sort of thing happening. But here we are. And what makes this even more puzzling is this:

However, this does not explain why LockBit did not provide a decryptor sooner, with patient care being impacted and SickKids working to restore operations since the 18th.

Furthermore, LockBit has a history of encrypting hospitals and not providing encryptors, as was seen in its attack against the Center Hospitalier Sud Francilien (CHSF) in France, where a $10 million ransom was demanded, and patient data eventually leaked.

The attack on the French hospital led to referring patients to other medical centers and postponing surgeries, which could have led to significant risk to patients.

I am going to go out on limb and suggest that the attack on the French hospital might have attracted a lot of unwanted attention on the operators of LockBit. Thus when the Sick Kids incident happened, the LockBit operators might have decided that they quickly needed to walk that back. Regardless, this is one of those rare good news stories in a space where all I tend to report on is bad news.

Leave a Reply

%d bloggers like this: