In a world of ever-increasing and ruthless cyber intrusions, a ransomware outfit has decided to be the exception. The LockBit gang has released a free decryptor for SickKids, a Toronto-based healthcare facility that one of LockBit’s affiliates targeted on December 18, 2022.
LockBit’s action is a rare instance of empathy from cybercriminals, who even spelled out the word ‘apologize’ in an affiliate’s late 2022 attack on the Hospital for Sick Children or SickKids. The group said its affiliate violated its rules by attacking a healthcare facility.
Independent security researcher Dominic Alvieri first came across LockBit’s post, dated December 31, 2022, at 1:59 PM EST. “We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” LockBit’s post reads.
LockBit offers decryptor for free.
LockBit affiliate breach violated their rules for The Hospital for Sick Children and offers the decryptor for free.
— Dominic Alvieri (@AlvieriD) December 31, 2022
SickKids confirmed the ransomware attack on December 19, stating it impacted a few internal clinical and corporate systems, hospital phone lines, and web pages. A few days later, on December 22nd, the hospital said its patients and their families were experiencing longer wait times owing to its staff having delays in retrieving lab and imaging results.
SickKids confirmed that no personal or personal health information was impacted and that it hasn’t paid any ransom. As of January 1, the hospital restored over 60% of priority systems.
It is unclear why LockBit is going so far as to release a decryptor for free. SickKids being a teaching and research hospital, is clear of LockBit’s targets which excludes organizations “where damage to the files could lead to death.”
LockBit’s sensibility should be taken with a pinch of salt, considering the ransomware syndicate is known to go to great lengths, including going against one of the more prominent cybersecurity companies, Mandiant, to paint a rosy picture of its deeds.
In June 2022, Mandiant associated LockBit with Russia’s big bad wolf Evil Corp. LockBit’s response? To ensure it is perceived not to be associated with the sanctioned Evil Corp, which would impact its earnings and image, LockBit said it breached Mandiant, gained access to its data and threatened to leak it.
See More: Ransomware and SaaS data: The Threat is Real
Mandiant said it had no evidence that supported LockBit’s claims, making them hokum. However, it goes to show the kind of PR stunts the ransomware gang practices to make sure it flies just above law enforcement’s radar and continues to engage in cybercrime.
So it could just be that LockBit apologized and released the decryptor to color itself as a group with a heart. After all, it took more than ten days for it to correct the affiliate’s ‘mistake.’
LockBit has been running a ransomware-as-a-service operation since September 2019. The group revamped its website and infrastructure and rebranded as LockBit 2.0 in June 2021. Later in August 2021, Palo Alto Networks’ Unit 42 included it in its list of emerging ransomware groups.
In 2022, LockBit remained the most active ransomware group from February through October, barring March 2022, according to Malwarebytes Labs. In September 2022, LockBit was responsible for 48% of all ransomware attacks, nearly six times as many attacks as Black Basta, the next most prevalent ransomware gang, and almost as many attacks as every other variant combined.
LockBit recently updated its strain once again in June 2022 to LockBit 3.0 and famously announced a bug bounty program ranging between $1,000 to $1 million for detecting and reporting security blind spots in its website (cross-site scripting or XSS), locker (encryption), vulnerabilities in Tox messenger and the Tor Network.
According to VX Underground’s October 2022 interview with the LockBit founder, the syndicate has more than ten members, including pentesters, developers, money launderers, testers, and negotiators. This makes LockBit significantly smaller than Conti which boasted close to 100 members before it went under. However, LockBit does have approximately 100 affiliates using its strain and sharing ransomware proceeds.
One of these affiliates, a Russian and Canadian national named Mikhail Vasiliev, was arrested in November 2022 for conspiring with others to damage protected computers intentionally and to transmit ransom demands. Law enforcement also seized two firearms, eight computers, 32 external hard drives and €400,000 ($400,760) worth of cryptocurrency.
“The Hospital for Sick Children (SickKids) is aware of the statement issued online by a ransomware group that included an offer of a free decryptor to restore systems impacted by the cybersecurity incident. We have engaged our third-party experts to validate and assess the use of the decryptor,” SickKids stated on Sunday, December 1, 2022.
Meanwhile, BleepingComputer discovered that the released decryptor is for Linux/VMware ESXi and that there isn’t one for Windows.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON RANSOMWARE ATTACKS