(Toronto) A global ransomware operator has issued an apology and offered to unlock targeted data in a ransomware attack on the Hospital for Sick Children in Toronto, a rare move according to cybersecurity experts, if not unprecedented for the infamous group.
LockBit, a group of ransomware that the US federal police, the FBI, has called one of the most active and destructive in the world, issued a brief apology on December 31 on what cybersecurity experts consider the page of the invisible web where he publishes his ransoms and data leaks.
In the statement, reviewed by The Canadian Press, LockBit claimed to have blocked the “partner” responsible for the attack and offered The Hospital for Sick Children in Toronto a free decryptor to unlock its data.
“As far as I know, this is the first time they’ve issued an apology and offered to hand out a free decryptor,” said Brett Callow, threat analyst for anti-malware firm Emsisoft, which tracks malware attacks. ransomware, based in British Columbia.
LockBit has been linked to recent cyberattacks on municipalities in Ontario and Quebec, experts say, and a Russian-Canadian citizen living in Brantford, Ont., was arrested in October for his alleged involvement in the group.
US officials say the group demanded at least $100 million in ransoms and extracted tens of millions from the victims.
“They are one of the most active groups, if not the most,” argued Brett Callow.
“These attacks can sometimes come from much closer to home than we think. We believe that the attacks come from Russia or from countries of the [Communauté des États indépendants]while in some cases they could come from our own border,” Mr Callow said.
The Hospital for Sick Children in Toronto acknowledged on Sunday that it was aware of the statement and said it was consulting with experts to “validate and evaluate the use of the decryptor.”
The hospital is still recovering from the cyberattack which it said delayed lab and imaging results, cut phone lines and shut down the staff payroll system.
As of Sunday, more than 60% of its “priority systems” had been brought back online, many of which had contributed to diagnostic and treatment delays. Restoration efforts were “progressing well,” the hospital said.
He said he took down two websites he operated on Friday after reporting “potential unusual activity”, but said the activity did not appear to be related to the cyberattack.
The hospital continues to be under a gray code – system failure hospital code – issued on December 18 in response to the cyberattack.
Harder to decipher
Even though The Hospital for Sick Children in Toronto has decided to use a LockBit decryptor, experts say the hospital still faces a number of hurdles.
Ransomware groups are good at scrambling files, said Chester Wisniewski, a senior researcher at Vancouver-based cybersecurity firm Sophos. “They’re not that good at deciphering them,” he claimed.
Healthcare organizations that use a ransomware group’s decryptor, because they’ve paid a ransom or otherwise, recover on average about two-thirds of their files, Wisniewski said, citing a Sophos survey of hundreds of organizations. The time-consuming and expensive job of decryption is also left to the organization itself, not to mention the cost of hiring third-party experts to review, investigate, and rebuild after the hack.
And then there’s the LockBit partner issue, Callow added.
According to experts, LockBit operates as a multi-layered criminal marketing scheme, renting out its malware to affiliated hackers in exchange for a share of any ransom they extort.
LockBit’s statement says the partner who attacked Toronto Hospital Center is no longer part of its program, but it’s unclear if that partner still has any files that may have been stolen in the attack, said LockBit. said Mr. Callow.
“That data could now be in the hands of someone who is quite pissed that they couldn’t monetize this particular attack,” he explained.
The Hospital for Sick Children in Toronto says there is “no evidence to date” that any personal information has been compromised, but experts say they are treating such claims with some skepticism until a full investigation is complete.
LockBit’s apology, meanwhile, appears to be a way to manage its image, Wisniewski believes.
The group competes with other prominent malware operators who also try to woo hackers into using their system to carry out lucrative cyberattacks, he said. Hackers seem to switch between carriers frequently.
He suggested that decision could be directed at partners who might view the attack on a children’s hospital as a step too far.
“My gut feeling would be that this is more aimed at the criminal affiliates themselves trying not to put them off moving to another ransomware group,” Wisniewski said.
Rise in cyberattacks during the pandemic
The Canadian Center for Cyber Security said that while it is aware of the recent cybersecurity incident with the Hospital for Sick Children in Toronto, it does not comment on specific events.
A spokesperson for the center, which reports to the Federal Communications Security Establishment, said in the statement that cybersecurity incidents remain a persistent threat to the Canadian government and non-governmental organizations, as well as to critical infrastructure.
“Generally, the Center for Cyber Security has noticed an increase in cyber threats during the COVID-19 pandemic, including the threat of ransomware attacks against frontline healthcare and medical research facilities around the world. country,” said Evan Koronewski.
He said more than 400 healthcare organizations in Canada and the United States have suffered a ransomware attack since March 2020.
“Cybercriminals typically cast a wide net, not normally against specific targets, in search of financial gain,” Koronewski said. While the threat ransomware poses to individuals remains, other cybercriminals have changed tactics, devoting more resources to aiming for larger, more financially lucrative targets. »
LockBit was involved in an attack on a hospital in France last year where it allegedly demanded millions of dollars to restore the network, Callow said. The group has also been linked to recent ransomware attacks targeting the town of St Mary’s, Ontario, and the city of Westmount, Quebec, he added.
And in this case, the possible impacts on patient care at a large pediatric hospital cannot be overlooked, argued Callow.
“Delayed treatment, delayed diagnoses – the impact of these may only have consequences weeks, months or even years after the event,” Callow argued.