Ransomware gang apologizes, gives SickKids hospital free decryptor

LockBit, a ransomware group that has been attacking healthcare organizations with ransomware, released a decryptor for free for the Hospital for Sick Children (SickKids).

SickKids, a Toronto teaching and research hospital that provides healthcare for sick children, is located in Toronto.

The ransomware attack , as well as the website.

Although the attacker only hacked a handful of systems, SickKids claimed that it caused delays in imaging and lab results as well as longer wait times for patients.

SickKids on December 29th that 50% of their priority systems had been restored, even those which caused delays in treatment or diagnostics.

LockBit gang apologizes for attack

Two days after SickKids announced their latest attack, threat intelligence researcher Dominic Alvieri first noticed that LockBit ransomware had attacked the hospital. The LockBit ransomware group apologized and gave away a decryptor.

The ransomware gang stated that they had formally apologized for attacking sikkids.ca. They also gave back the decryptor free of charge. “The partner who attacked the hospital violated our guidelines and was not in our affiliate program.”

BleepingComputer confirmed the file was available free of charge and claimed it to be a Linux/VMware ESXi encryption decryptor. It is clear that there is not an additional Windows decryptor and the attacker was able to encrypt only virtual machines within the hospital network.

The LockBit operation runs as a Ransomware-as-a-Service, where the operators maintain the encryptors and websites, and the operation’s affiliates, or members, breach victims’ networks, steal data, and encrypt devices.

The LockBit operator receives approximately 20% from ransom payments, while the remainder goes to their affiliate.

Although the ransomware allows its associates to encrypt pharmacies, dentists and plastic surgeons it forbids them from encrypting medical institutions where there could be death.

The ransomware policy states that it is not allowed to encrypt any institutions where death could result, like cardiology centres, neurosurgical department and the like.

Policies allow for the theft of information from medical institutions.

Ransomware gang claims that one of its associates had encrypted hospital devices. They were then removed and offered a free decryptor.

This does not explain LockBit’s inability to provide a decryptor sooner. Patients have been affected and SickKids are working to restore operation since the 18th.

LockBit is known for encrypting hospitals but not offering encryptors. This was evident in the in France. A $10 million ransom was requested and .

After the attack on the French hospital, patients were referred to other centers for medical care and surgeries delayed. This could have put patients at risk.

BleepingComputer reached out to LockBit in an attempt to learn why they wanted a ransom from CHSF. However, we never got a reply.