A global ransomware operator issued an apology and offered to unlock the data targeted in a ransomware attack on Toronto’s Hospital for Sick Children, a move cybersecurity experts say is rare, if not unprecedented, for the infamous group.
LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the world’s most active and destructive, issued the brief apology on Dec. 31 to what cybersecurity experts say is the dark web page where it posts about its ransoms and data leaks.
In the statement, reviewed directly by The Canadian Press, LockBit claimed to have blocked the “partner” responsible for the attack and offered SickKids a free decryptor to unlock its data.
“As far as I’m aware, this is the first time they’ve issued an apology and offered to hand over a free decryptor,” said Brett Callow, a British Columbia-based threat analyst with anti-malware company Emsisoft who tracks ransomware attacks.
LockBit has been connected to recent cyberattacks on municipalities in Ontario and Quebec, experts say, and a Russian-Canadian citizen living in Brantford, Ont., was arrested in October for his alleged participation in the group.
U.S. officials allege the group has made at least $100 million in ransom demands and extracted tens of millions from victims.
“They are one of, if not the most active group,” Callow said.
“These attacks can sometimes originate much closer to home than we realize. We think the attacks are coming in from Russia or 1/8Commonwealth of Independent States 3/8 countries, whereas in some cases they could be originating from within our own border,” Callow said.
SickKids acknowledged Sunday it was aware of the statement and said it was consulting experts to “validate and assess the use of the decryptor.”
The hospital is still recovering from the cyberattack that it said delayed lab and imaging results, knocked out phone lines and shut down the staff payroll system.
As of Sunday, over 60 per cent of its “priority systems” had been brought back online, including many that had contributed to diagnostic and treatment delays, and restoration efforts were “progressing well,” SickKids said.
The hospital previously said it took down two websites it operates on Friday after reporting “potential unusual activity”, though it said the activity appeared to be unrelated to the cyberattack.
The hospital continues to be under a Code Grey – hospital code for system failure – issued on Dec. 18 in response to the cyberattack.
Robert Falzon, the head of engineering with the cybersecurity firm Check Point Software Technologies Inc., said while it appears SickKids staff are working to get control of the issue, it’s a daunting task.
“This is a particularly bad one for the fact it attacks primarily virtual machines,” he told CityNews in an interview on Monday, noting the focus of the attack usually involves technology that hosts multiple systems.
“When you’re attacking a platform itself you take down a number of pieces of infrastructure at the same time so this is why I think it was so dramatic in such a short period of time.”
Falzon added information technology (IT) staff have to make sure any backups aren’t infected with ransomware.
“It’s not surprising to me that it’s taking so long to restore. These are complex systems, they are in critical infrastructure,” he said.
“You know patient care, they have to make sure they don’t put something in place that … is going to put somebody at risk.”
As for the motives behind ransomware attacks, Falzon said in the end it comes down to money.
“I don’t think there’s any honour among thieves … they do in fact attack hospitals, they do attack critical infrastructure,” he said.
When it comes to protecting hospitals in an era when the facilities are increasingly going digital, Falzon said IT staff need to be empowered to make bolder changes to protect those systems.
“More needs to be done, but I think it’s not just a technology problem. We also have to look at how we’re managing the problem overall,” he said.
SickKids officials said there’s “no evidence to date that personal information or personal health information has been impacted,” but Falzon said with patient data being “highly sought after” the need for improvement is more important than ever.
“They’re paying a lot of money for it on the underground markets and so forth,” he said, adding data is often resold.
“This is a significant problem with many tendrils to it.”
