Ransomware group LockBit apologizes, saying ‘partners’ were behind SickKids attack

global ransomware The operator apologized and offered to unlock the targeted data ransomware The attack on a hospital for sick children in Toronto is a rare, if not unprecedented, move for the notorious and notorious, according to cybersecurity experts. group.

rock bit, ransomware group The U.S. Federal Bureau of Investigation called out one of the world’s most active and destructive dark web pages to post about ransoms and data breaches on Dec. 31 against what cybersecurity experts say was Issued a brief apology.

In a statement seen directly by The Canadian Press, LockBit claimed to have blocked a “partner” responsible for the attack and provided SickKids with a free decryption tool to unlock their data. .

“As far as I know, this is the first time they have apologized and offered to provide a free decryption tool.” ransomware attack.

A Russian-Canadian citizen of Brantford, Ontario, was identified in October as a suspected participant in the attacks, according to experts. was arrested by group.

U.S. officials group It demanded a ransom of at least $100 million and extorted tens of millions of dollars from victims.

“They are one of, if not the least active. groupsaid Crow.

“Sometimes these attacks happen much closer to home than we realize. [Commonwealth of Independent States] In some cases, they may have originated from within our own borders,” Callow said.

SickKids confirmed on Sunday that it was aware of the statement and said it was consulting experts to “verify and evaluate the use of the decryption tool.”

The hospital is still recovering from the cyberattack, which has seen delays in lab and imaging results, cut phone lines and shut down staff payroll systems, he said.

As of Sunday, more than 60% of its “priority systems” were back online, including many of the systems that caused delays in diagnosis and treatment, and recovery efforts were “on track.” ,” said SickKids. The hospital had previously said it took down two of his websites it operates on Friday after reporting “possible anomalous activity,” although the activity was unrelated to the cyberattack. said it seemed

The hospital remains under Code Gray (hospital code for system failure) issued on December 18 following a cyberattack.

Even if SickKids decides to use LockBit decryptors, hospitals still face many hurdles, experts say.

ransomware The group is good at scrambling files, said Vancouver-based Chester Wisniewski, principal investigator at cybersecurity firm Sophos.

“They’re not very good at deciphering,” he said.

medical institutions that use ransomware Citing a survey of hundreds of organizations by Sophos, Wisniewski said that on average, about two-thirds of files were recovered regardless of whether the ransom was paid or not. The time-consuming and expensive task of decryption is also left to the organization itself, not to mention the expense of hiring third-party experts to review, investigate and reconstruct after the hack.

Then there’s the issue of LockBit’s partners, Callow said.

Experts say LockBit works like a criminal multi-level marketing scheme, lending malware to hacker affiliates in exchange for part of the ransom. According to a statement from LockBit, the partner who attacked SickKids is no longer part of its program, but it is unclear whether that partner still holds files that may have been stolen in the SickKids attack, he said. Callow said.

“That data could end up in the hands of someone who is very upset that we weren’t able to monetize this particular attack,” he said.

SickKids says there is “no evidence so far” that personal information was compromised, but experts say they treat these statements with some degree of skepticism until a full investigation is completed. .

Meanwhile, LockBit’s apology looks like a way to control its image, Wisniewski said.

of group He said it competes with other prominent malware operators who also want hackers to use their systems to carry out lucrative cyberattacks. Hackers seem to move between operators frequently.

He suggested the move could be aimed at partners who might see the attack on children’s hospitals as overkill.

“My gut instinct is that this is aimed at the criminal gangs themselves, who are trying not to be averse to switching to another ransom. groupsaid Wisniewski.

LockBit was involved in attacks on French hospitals last year and reportedly demanded millions of dollars to restore the network, Callow said.It is also related to recent ransomware The attacks targeted the towns of St. Mary, Ontario, and Westmount, Quebec, he added.

In this case, Callow said, the impact on patient care at a large pediatric hospital cannot be ignored.

“Delayed treatment, delayed diagnosis – these effects may not be apparent until weeks, months, or years after the event,” said Callow.

canadian press