(Toronto) A global ransomware operator has apologized and offered to unlock targeted data in a ransomware attack on Toronto’s Hospital for Sick Children, in what cybersecurity experts say is a rare move, if not unprecedented for the notorious band.
Posted at 6:44 am
Jordan Omstead The Canadian Press
LockBit, a ransomware group the FBI has described as one of the most active and destructive in the world, issued a brief apology on December 31 for what cybersecurity experts believe to be the side of the invisible web on which it posts its ransom and data leaks.
In the statement, verified by The Canadian Press, LockBit claimed to have blocked the “partner” responsible for the attack and offered the Toronto Hospital for Sick Children a free decryptor to unlock its data.
“As far as I know, this is the first time they’ve apologized and offered to give away a free decryptor,” said Brett Callow, threat analyst for anti-malware firm Emsisoft, which tracks malware attacks against ransomware, based in the UK -Colombia.
LockBit has been linked to recent cyberattacks on communities in Ontario and Quebec, according to experts, and a Russian-Canadian national living in Brantford, Ontario was arrested in October for his alleged involvement with the group.
US officials say the group demanded at least $100 million in ransom and extorted tens of millions from victims.
“They’re one of the most active groups, if not the most active,” argued Brett Callow.
“These attacks can sometimes come much closer to home than we think. We believe that the attacks come from Russia or from US countries [Communauté des États indépendants]while in some cases they could come from our own border,” Mr Callow said.
Toronto’s Hospital for Sick Children confirmed Sunday that it was aware of the statement and said it was consulting with experts to “validate and evaluate use of the decryptor.”
The hospital is still recovering from the cyberattack, which delayed lab and imaging results, cut phone lines and shut down staff payroll systems.
By Sunday, more than 60% of its “priority systems” had been brought back online, many of which had contributed to delays in diagnosis and treatment. The hospital said restoration efforts were “making good progress.”
He said he shut down two websites he operated on Friday after reporting “possible unusual activity,” but said the activity did not appear to be related to the cyberattack.
The hospital remains subject to a Gray code – system error hospital code – issued on December 18 in response to the cyberattack.
Harder to decipher
Although Toronto’s Hospital for Sick Children decided to use a LockBit decryptor, experts say the hospital still faces a number of hurdles.
Ransomware groups are good at encrypting files, says Chester Wisniewski, a senior researcher at Vancouver-based cybersecurity firm Sophos. “They’re not that good at deciphering them,” he claimed.
Healthcare organizations that use a ransomware group’s decryptor because they paid a ransom or for other reasons recover about two-thirds of their files on average, Wisniewski said, citing a Sophos survey of hundreds of organizations. The time-consuming and costly task of decryption is also left to the organization itself, not to mention the cost of hiring third-party experts to verify, investigate, and recover from the hack.
And then there’s the LockBit partner issue, Callow added.
According to experts, LockBit operates as a multi-layered criminal marketing system that rents its malware to affiliated hackers in exchange for a share of the ransom they extort.
LockBit’s statement says the partner that attacked the Toronto Hospital Center is no longer part of its program, but it’s unclear if that partner still has any files that may have been stolen in the attack, LockBit said Mr Callow.
“This data could now be in the hands of someone who is pretty pissed that they weren’t able to monetize this particular attack,” he explained.
Toronto’s Hospital for Sick Children says there is “no evidence so far” that personal information has been compromised, but experts say they are treating such claims with some skepticism pending a full investigation.
LockBit’s apology, meanwhile, appears to be a way to manage its image, Wisniewski believes.
The group competes with other prominent malware operators who are also trying to trick hackers into using their system for lucrative cyberattacks, he said. Hackers seem to switch providers frequently.
He suggested the decision could be addressed to partners who might see the attack on a children’s hospital as a step too far.
“My gut feeling is that this is more aimed at the criminal partners themselves, trying not to stop them from moving to another ransomware group,” Wisniewski said.
Increase in cyber attacks during the pandemic
The Canadian Center for Cyber Security said that while it was aware of the recent cybersecurity incident involving Toronto’s Hospital for Sick Children, it would not comment on specific events.
A spokesman for the center, which reports to the Federal Communications Security Establishment, said in the statement that cybersecurity incidents pose an ongoing threat to the Canadian government and non-governmental organizations, as well as critical infrastructure.
“In general, the Center for Cyber Security has identified an increase in cyber threats during the COVID-19 pandemic, including the threat of ransomware attacks on frontline healthcare and medical research facilities around the world,” said Evan Koronewski.
He said more than 400 healthcare organizations in Canada and the United States have suffered ransomware attack since March 2020.
“Cyber criminals typically cast a wide net in search of financial gain, usually not against specific targets,” Koronewski said. While the threat that ransomware poses to individuals remains, other cybercriminals have changed tactics and devoted more resources to attacking larger, more financially lucrative targets. »
LockBit was involved in an attack on a hospital in France last year that allegedly demanded millions of dollars to restore the network, Callow said. The group has also been linked to recent ransomware attacks targeting the city of St. Mary’s, Ontario and the city of Westmount, Quebec, he added.
And in that case, Callow argued, the potential impact on patient care in a large children’s hospital cannot be overlooked.
“Delayed treatment, late diagnosis — the effects of which can only be felt weeks, months or even years after the event,” argued Callow.