TORONTO — A global ransomware operator issued an apology and offered to unlock the data targeted in a ransomware attack on Toronto’s Hospital for Sick Children, a move cybersecurity experts say is rare, if not unprecedented, for the infamous group.
LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the world’s most active and destructive, issued the brief apology on Dec. 31 to what cybersecurity experts say is the dark web page where it posts about its ransoms and data leaks.
In the statement, reviewed directly by The Canadian Press, LockBit claimed to have blocked the “partner” responsible for the attack and offered SickKids a free decryptor to unlock its data.
“As far as I’m aware, this is the first time they’ve issued an apology and offered to hand over a free decryptor,” said Brett Callow, a British Columbia-based threat analyst with anti-malware company Emsisoft who tracks ransomware attacks.
LockBit has been connected to recent cyberattacks on municipalities in Ontario and Quebec, experts say, and a Russian-Canadian citizen living in Bradford, Ont., was arrested in October for his alleged participation in the group.
U.S. officials allege the group has made at least $100 million in ransom demands and extracted tens of millions from victims.
"They are one of, if not the most active group," Callow said.
“These attacks can sometimes originate much closer to home than we realize. We think the attacks are coming in from Russia or [Commonwealth of Independent States] countries, whereas in some cases they could be originating from within our own border,” Callow said.
SickKids acknowledged Sunday it was aware of the statement and said it was consulting experts to “validate and assess the use of the decryptor.”
The hospital is still recovering from the cyberattack that it said delayed lab and imaging results, knocked out phone lines and shut down the staff payroll system.
As of Sunday, over 60 per cent of its “priority systems” had been brought back online, including many that had contributed to diagnostic and treatment delays, and restoration efforts were “progressing well,” SickKids said.
The hospital previously said it took down two websites it operates on Friday after reporting "potential unusual activity", though it said the activity appeared to be unrelated to the cyberattack.
The hospital continues to be under a Code Grey – hospital code for system failure – issued on Dec. 18 in response to the cyberattack.
Even if SickKids decided to use a LockBit decryptor, experts say the hospital still faces a number of hurdles.
Ransomware groups are good at scrambling files, said Chester Wisniewski, a Vancouver-based principal research scientist with cybersecurity firm Sophos.
"They're not so good at unscrambling them," he said.
Healthcare organizations who use a ransomware group's decryptor, because they paid a ransom or otherwise, recover on average about two-thirds of their files, said Wisniewski, citing a Sophos survey of hundreds of organizations. The protracted and expensive work of decryption is also left to the organization itself, not to mention the cost of hiring third-party experts to review, investigate and rebuild after the hack.
And then there's the issue of LockBit's partner, Callow said.
LockBit operates like a criminal multi-level marketing scheme, experts say, renting out its malware to hacker affiliates in exchange for a cut of any ransom they extort. The LockBit statement says the partner who hit SickKids is no longer part of its program, but it's unclear whether that partner still holds any files that may have been stolen in the SickKids attack, Callow said.
"That data could now be in the hands of someone who is quite pissed off at having been unable to monetize this particular attack," he said.
SickKids says there is "no evidence to date" that personal information was compromised, but experts say they treat those statements with a degree of skepticism until a full investigation is complete.
LockBit's apology, meanwhile, appears to be a way of managing its image, said Wisniewski.
The group is competing with other high-profile malware operators who are also trying to court hackers to use their system to carry out lucrative cyberattacks, he said. Hackers appear to move between the operators frequently.
He suggested the move could be directed at those partners who might see the attack on a children's hospital as a step too far.
"My instinct would be this is more aimed at criminal affiliates themselves trying to not disgust them into switching into a different ransom group," said Wisniewski.
The Canadian Centre for Cyber Security said that though it is aware of the recent cybersecurity incident with SickKids, it doesn't comment on specific events.
A spokesman for the centre, which operates under the federal Communications Security Establishment, said in the statement that cybersecurity incidents remain a persistent threat to Canadian government and non-government organizations, as well as critical infrastructure.
"Generally speaking, the Cyber Centre has noticed an increase in cyber threats during the COVID-19 pandemic, including the threat of ransomware attacks on the country’s front-line healthcare and medical research facilities," said Evan Koronewski.
He said over 400 health-care organizations in Canada and the United States have experienced a ransomware attack since March 2020.
"Cybercriminals typically cast a wide net, not usually against specific targets, seeking a financial profit," said Koronewski. "While the threat to individuals from ransomware remains, other cybercriminals have shifted their tactics, placing more resources into targeting larger and more financially lucrative targets."
LockBit was implicated in an attack on a hospital in France last year where it reportedly asked for millions of dollars to restore the network, Callow said. It has also been connected to recent ransomware attacks targeting the Town of St. Mary’s, Ont., and the City of Westmount, Que., he added.
And in this case, the possible impacts on patient care at a large pediatric hospital can't be overlooked, Callow said.
"Delayed treatment, delayed diagnostics — the impact of those may not be clear until weeks, or months, or years, even, after the event," Callow said.
This report by The Canadian Press was first published Jan. 2, 2023.
Jordan Omstead, The Canadian Press
Note to readers: This is a corrected story. A previous version said the Russian-Canadian citizen was living in Brantford, Ont., at the time of his arrest.