The Lockbit ransomware gang, one of the most active in the threat landscape, hit the Canadian Hospital for Sick Children (SickKids) and then apologized in the following days and released a free decryptor to allow the victim to recover their data.
The news of the attack went around the world, at the expense of a critical infrastructure such as a hospital and even worse, a children’s hospital.
While the Lockbit group is known for not targeting hospitals, other facilities have been hit by hackers claiming membership in the gang in recent months. Lockbit’s policy prohibits encrypting the systems of organizations where damage could cause the death of individuals, and hospitals are obviously among the targets not allowed. How is it possible then that a children’s hospital was attacked?
The cause is in the implementation of an affiliation model, also known as Ransomware-as-a-Service, in which groups of criminals can use Lockbit ransomware in their attacks provided they share a percentage of the proceeds of the attack with the gang . Evidently this model has risks that are far from negligible, namely that an affiliated group could on its own initiative target a critical infrastructure with unpredictable consequences, although explicitly prohibited by the ransomware gang that supplies them with the malicious code.
The Lockbit gang explained that one of its partners attacked SickKids in violation of its rules, resulting in him being banned from the affiliate program.
The group formally apologized in a message posted on its Leak site on the Tor network. “We formally apologize for the attack on sikkids.ca and provide the decryptor free of charge, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” the statement posted by Lockbit on his site hosted on the Tor network.
The attack on the Toronto Hospital for Sick Children took place on December 18, 2022. The hospital is Canada’s largest children’s health centre. The attack caused problems to several network systems of the hospital, but fortunately – according to the health organization – has not had any impact on the care of young patients.
“The Hospital for Sick Children (SickKids) is currently responding to a computer security incident affecting several network systems and has termed a Code Gray – system failure. The code went into effect at 21:30 on Sunday 18 December and is ongoing. reads the accident notice published by the hospital.
“The safety and well-being of our patients and their families is our top priority. All patient care processes continue to operate and there is currently no evidence that patients’ personal information or health care has been compromised.”
Unfortunately, it took the hospital several days to contain the ransomware attack, in an update provided on December 29, the structure reported that it had managed to restore about 50% of the systems considered “priority,” i.e. those services and applications whose interruption has led to delays in the formulation of diagnoses and in the delivery of therapies.
Unfortunately, the infrastructure recovery process is expected to take several weeks, according to a statement published on December 23.
The attack on the children’s hospital is not an isolated event, affiliates of the Lockbit gang have already hit healthcare organizations in the past. In early December, the Versailles Hospital Center was hit by a cyber attack attributed to the group. On this occasion, the structure was forced to cancel the surgeries and to transfer some patients due to the attack. In August, the same gang attacked the Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris. The attack disrupted emergency services and outpatient services and forced the hospital to transfer patients to other facilities.
These events demonstrate how vulnerable healthcare infrastructures are to cyber attacks, which are increasingly affecting companies in the healthcare sector. Jama Network researchers recently released a report that analyzed trends in ransomware attacks on US hospitals, clinics and healthcare organizations between 2016 and 2021.
From 2016 to 2021, the annual number of ransomware attacks rose from 43 to 91. During the analysis period, researchers documented 374 ransomware attacks on healthcare systems that exposed the personal health information (PHI) of approximately 42 million individuals .
An impressive volume of information that exposes these individuals to future attacks.