Apologizing on New Year’s Eve, LockBit ransomware gang has expressed its regrets Toronto’s hospital for sick children attacked and sent a free decryptor so that the files could be deciphered.
According to Brett Calo, a BC-based threat analyst for Emsisoft, the gang posted a message on their site claiming the attack was the work of an associate and violated their rules.
“We formally apologize for the attack on sickkids.ca and give back the decryptor free of charge,” the note said. “The accomplice who attacked this hospital violated our rules, is blocked, and is no longer in our affiliate program.”
Some ransomware groups operate on a ransomware-as-a-service model with so-called partners who specialize in developing and spreading malware for the victim’s initial compromise, leaving the ransomware developers to focus on their encryption code. Huh. The gang and affiliate come to an agreement on splitting any payments that the victim agrees to. In some models the affiliate will insert the ransomware after the agreement, and in other models the ransomware operators will have the final say.
Callow also said in a tweet that this is not the first time a ransomware group has offered help to a victim. In 2021 the Conti ransomware gang provided a decryptor following an attack that crippled Ireland’s Health Service Executive (HSE). However, the code was described as flawed and buggy. and DoppelPaymer Group in 2020 A decryptor was reportedly sent after a German hospital was hit.
The apology from SickKids comes 13 days after the internationally recognized hospital was hit by ransomware, which affected multiple systems.
Last week, in its most recent status update, the hospital said that about half of its priority systems have been successfully restored following the December 18 ransomware attack. There are many systems involved that contribute to diagnostic and/or treatment delays. The hospital said patients and families should still be prepared for possible delays as work continues to bring all systems back online.
The hospital has been asked to comment on whether the decryptor would be useful – or reliable.
According to researchers at Blackberry, The Lockbit strain is one of the most active ransomware in the world. Ransomware has an average payout of around US$1 million per incident, with LockBit victims paying an average ransom of around $85,000 – suggesting that LockBit targets small- to medium-sized organizations.
BlackBerry says that LockBit primarily seeks initial access to target networks through purchased access, unpatched vulnerabilities, insider access and zero-day exploits. The “second phase” Lockbit establishes control over the victim’s system, collects network information, and achieves primary goals such as stealing and encrypting data.
LockBit attacks typically employ a double extortion tactic to encourage victims to pay, research says, first to gain access to their encrypted files, and then to make their stolen data public. To get paid again to stop posting formally. When used as ransomware-as-a-service (RaaS), an Initial Access Broker (IAB) deploys the first stage of malware or gains access within a target organization’s infrastructure. They then sell that access to the primary Lockbit operator for a second stage of exploitation.
While some threat actors claim that they avoid targeting hospitals, this is again either due to negligence or apathy. One of the largest recent attacks was disclosed by Lake Charles Memorial Health System in Louisiana, which said in October a hacker stole patient data. according to the recordThe personal information of approximately 270,000 current and former hospital patients was copied. According to Bleeping Computer, The Hive ransomware gang is taking the credit.
Year-end analysis of ransomware attacks In the US, Emsisoft said 24 US healthcare providers operating 289 hospitals could be hit by ransomware in 2022. In those 24 attacks, data — including protected health information (PHI) — was exfiltrated in at least 17 cases.
The most significant event of the year was the attack on CommonSpirit Health, which operates about 150 hospitals across the US. Emsisoft reports that personal data of 623,774 patients was compromised as a result of the ransomware attack on CommonSpirit Health. At one of the affected hospitals, a computer system used to calculate drug doses was offline and as a result, a 3-year-old patient was reported to have overdosed on pain medication. Other affected hospitals temporarily stopped scheduling surgeries or had to redirect ambulances to other hospitals.