LockBit Hands Ransomware Decryptor to Kids' Hospital

Written by

A prolific ransomware group has apologized to a children’s hospital and provided it with a free decryption key after the facility was compromised in mid-December.

The incident occurred at Toronto’s Hospital for Sick Children (SickKids) on the evening of December 18 2022, local time.

Although it said in a statement that it had “mobilized quickly to mitigate potential impacts to the continuity of care,” Canada’s largest pediatric hospital also admitted that it would be a “matter of weeks” before systems returned to normal.

“Clinical teams are currently experiencing delays with retrieving lab and imaging results, which may cause longer wait times for patients and families,” it reportedly warned at the time.

However, the LockBit affiliate responsible had actually contravened the group’s policy on targets, it said subsequently in a brief statement on New Year’s Eve.

“We formally apologize for the attack on sickkids.ca and give back the decryptor for free,” noted the statement, reposted by Emsisoft threat analyst, Brett Callow. “The partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.”

According to the group’s rules on targeting organizations, affiliates are only allowed to “very carefully and selectively attack medical-related institutions such as pharmaceuticals companies, dental clinics, plastic surgeries …” and other specific institutions.

“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed,” the notice continues.

As Callow argued at the time, this isn’t the first case of a decryption key being handed to a hospital by the group that attacked it. The same happened when Conti helped out the Irish Health Service Executive (HSE) and DoppelPaymer gifted Helios University Hospital a decryptor.

However, it remains to be seen why the developers behind LockBit waited nearly two weeks before taking action to help the hospital.

What’s hot on Infosecurity Magazine?