A global ransomware operator has issued a rare apology after it claims one of its “partners” was behind a cyberattack on Canada’s largest pediatric medical centre.
LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the most active and destructive in the world, posted a brief statement on what cybersecurity experts say is its data leak site claiming it has blocked its partner responsible for the attack on Toronto’s Hospital for Sick Children and offering the code to restore the system.
SickKids acknowledged Sunday it was aware of the statement and says it was consulting experts to “validate and assess the use of the decryptor,” adding it has not made a ransom payment.
The hospital has said last month’s attack delayed lab and imaging results, knocked out phone lines and shut down the staff payroll system.
It says 60 per cent of its priority systems have since been brought back online and restoration efforts are “progressing well.”
Cybersecurity experts say even if SickKids decides to use a decryptor, they face the often lengthy and costly task of fully restoring the systems and potentially rebuilding their cybersecurity architecture to prevent another attack.
Cyber attacks on health organizations a growing threat
The Canadian Centre for Cyber Security, under the national cryptologic agency the Communications Security Establishment (CSE), says it’s aware of reports regarding the cyber security incident at SickKids but can’t comment on specific incidents.
However, it highlighted cyber threats continue to remain a “persistent threat” to the Canadian government, non-government organizations and critical infrastructure.
“Generally speaking, the Cyber Centre has noticed an increase in cyber threats during the COVID-19 pandemic, including the threat of ransomware attacks on the country’s front-line health-care and medical research facilities,” said a statement from CSE spokesperson Evan Koronewski.
“Since March 2020, over 400 health-care organizations in Canada and the United States experienced a ransomware attack.”
Koronewski says cybercriminals typically cast a “wide net” and don’t usually have specific targets, but some criminals have started to place more resources into zeroing in on “larger and more financially lucrative” targets that cannot tolerate disruptions and are likely willing to pay large ransom amounts to restore operations.
“CSE and the Cyber Centre continue to monitor for any developing cyber threats and share threat-information with our partners and stakeholders to help prevent future incidents,” said Koronewski.