The LockBit ransomware gang has released a free decryptor for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organization.
SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children.
On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website.
While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.
On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays.
LockBit gang apologizes for attack
As first noted by threat intelligence researcher Dominic Alvieri, two days after SickKids’ latest announcement, the LockBit ransomware gang apologized for the attack on the hospital and released a decryptor for free.
“We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” stated the ransomware gang.
BleepingComputer has confirmed that this file is available for free and claims to be a Linux/VMware ESXi decryptor. As there is no additional Windows decryptor, it indicates that the attacker could only encrypt virtual machines on the hospital’s network.
The LockBit operation runs as a Ransomware-as-a-Service, where the operators maintain the encryptors and websites, and the operation’s affiliates, or members, breach victims’ networks, steal data, and encrypt devices.
As part of this arrangement, the LockBit operators keep approximately 20% of all ransom payments and the rest goes to the affiliate.
While the ransomware operation allows its affiliates to encrypt pharmaceutical companies, dentists, and plastic surgeons, it prohibits its affiliates from encrypting “medical institutions” where attacks could lead to death.
“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed,” explains the ransomware operation’s policies.
The stealing of data from any medical institution is allowed per the policies.
According to the ransomware gang, as one of its affiliates encrypted the hospital’s devices, they were removed from the operation, and a decryptor was offered for free.
However, this does not explain why LockBit did not provide a decryptor sooner, with patient care being impacted and SickKids working to restore operations since the 18th.
Furthermore, LockBit has a history of encrypting hospitals and not providing decryptors, as was seen in its attack against the Center Hospitalier Sud Francilien (CHSF) in France, where a $10 million ransom was demanded, and patient data eventually leaked.
The attack on the French hospital led to referring patients to other medical centers and postponing surgeries, which could have led to significant risk to patients.
BleepingComputer had contacted LockBit at the time to understand why they were demanding a ransom from CHSF, even though it was against policies, but never received a response.
This is not the first time a ransomware gang has provided a free decryptor to a healthcare organization.
In May 2021, the Conti Ransomware operation provided a free decryptor to Ireland’s national health service, the HSE, after facing increased pressure from international law enforcement.