Lockbit apologized for the attack on the SickKids pediatric hospital and releases a free decryptor

The LockBit ransomware group formally apologized for the attack on the Hospital for Sick Children (SickKids) and gave to the victim a decryptor for free.

The LockBit ransomware gang formally apologized for the attack on the Hospital for Sick Children (SickKids) and has released a free decryptor for the Hospital.

The group is known to have a role for its affiliated that prohibits attacking healthcare organizations. Its policy forbids to encrypt systems of organizations where damage could lead to the death of individuals.

The gang explained that one of its partners has attacked SickKids violating its rules, for this reason it block the affiliate.

“We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.” reads the message published by Lockbit on its Tor leak site.

BleepingComputer confirmed that the decryptor released by the group claims to be a Linux/VMware ESXi decryptor.

The attack against the Toronto’s Hospital for Sick Children took place on December 18, 2022. The hospital is the Canadian largest pediatric health center, it is located on University Avenue in Toronto, Ontario, Canada.

The attack impacted multiple network systems at the hospital, but according to the healthcare organization, it did not impact the patient care. 

“The Hospital for Sick Children (SickKids) is currently responding to a cybersecurity incident affecting several network systems and has called a Code Grey – system failure. The code went into effect at 9:30 p.m. on Sunday, December 18, and is ongoing.” reads the incident notice published by the Hospital.

“The safety and well-being of our patients and their families is our top priority. All patient care is continuing and there is currently no evidence that personal information or personal health information has been impacted.”

The hospital took several days to contain the ransomware attack.

“The Hospital for Sick Children (SickKids) has successfully restored many systems that were impacted by the cybersecurity incident on December 18.” reads an update published by SickKids. “As of December 29, almost 50 per cent of priority systems are now restored and back online, including many of the systems that would have contributed to diagnostic and/or treatment delays. Patients and families should still be prepared for potential delays as work continues to bring all systems back online.”

On December 23, the hospital revealed that it would take weeks to fully restore its IT infrastructure.

Affiliates of the Lockbit gang have already hit healthcare organizations in the past, in early December, the Hospital Centre of Versailles was hit by a cyber attack that was attributed to the group. Hospital Centre of Versailles, which includes Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home, canceled operations and transferred some patients due to the cyberattack.

In August, the gang attacked the Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris. The attack disrupted the emergency services and surgeries and forced the hospital to refer patients to other structures. According to local media, threat actors demand a $10 million ransom to provide the decryption key to restore encrypted data.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit)

[adrotate banner=”5″]

[adrotate banner=”13″]