An affiliate of the LockBit ransomware gang recently conducted an attack on the Hospital for Sick Children (SickKids) in Toronto, Canada. The attack occurred on December 18, 2022, and files were encrypted on multiple systems, including its internal and corporate systems, the phone system, and website, although patient medical records were reportedly not affected.
As is often the case with ransomware attacks on hospitals, systems are taken offline due to encryption or as a precaution to contain the attacks, which can impact hospital operations. In this case, SickKids said the attack caused disruption to systems that caused delays in receiving medical test and imaging results, which resulted in delays in diagnosing medical conditions and providing treatment to sick children. Patients also faced longer delays than normal.
This is not the first healthcare organization to be attacked by the LockBit group nor is it the first hospital, but in this case, an affiliate appears to have violated the rules imposed by the ransomware-as-a-service operation. The group announced on December 31, 2022, that a decryptor has been provided free of charge. The group also issued an apology and confirmed that action has been taken internally in response to the violation of its policies, stating that the actor responsible for the attack has been kicked out of the affiliate program and has been blocked.
LockBit only permits its affiliates to conduct attacks on certain healthcare organizations, which is any medical institution where the attack could cause a fatality. That includes any healthcare providers that conduct surgical procedures using high-tech equipment, maternity hospitals, and cardiology centers. Affiliates are free, however, to conduct attacks on pharma firms, plastic surgeons, and dentists, and data theft from medical institutions is permitted. That said, the LockBit gang does not always follow those rules, as evidenced by the recent attack on the Center Hospitalier Sud Francilien in Corbeil-Essonnes, France. No such apology was issued following that attack nor was a free decryptor provided.