Sponsored By

Holiday Spirit? LockBit Gives Children's Hospital Free Decryptor

The Russian-speaking cybercrime gang said an affiliate violated its rules against attacks that could lead to bodily harm for medical patients.

generic children's hospital roadside pointing to the entrance
Source: Tom Bham via Alamy Stock Photo

After being hit by the LockBit ransomware-as-a-service (RaaS) apparatus, the Hospital for Sick Children (SickKids) received an unexpected holiday gift: A free decryptor and an apology from the cybercriminal group.

The children's hospital, located in Toronto, announced on Dec. 19 that it had just suffered a cyberattack that precipitated what it termed "Code Grey" — i.e., an internal systems failure. That forced clinicians to "transition to downtime procedures," it said, adding that it nonetheless believed the attack had only "impacted a few internal clinical and corporate systems, as well as some hospital phone lines and webpages."

By Dec. 29, the story was a bit more dire: SickKids admitted that parents and patients were experiencing diagnostic and/or treatment delays — a reality that families should expect to continue, according to an update from the hospital. However, it had managed to restore about half of its affected footprint, it said.

Researcher Dominic Alvieri then tweeted that he had a posting from the LockBit gang's leak site apologizing for the hit, and blaming the attack on a rogue affiliate who was outside of the group's control. LockBit, like many other ransomware bigwigs, rents out its malware to affiliates who carry out the actual attacks in exchange for a 20% cut of the takings.

"We formally apologize for the attack…and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," according to the posting.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights