Cyber-criminals apologize for attacking SickKids
January 4, 2023
TORONTO – The LockBit ransomware gang – which uses sophisticated viruses to “lock up” data until the organization under attack pays up – has apologized for targeting the Hospital for Sick Children and released a decryptor for free. According to reports on the Internet, the group’s members are prohibited from attacking healthcare organizations.
It said that one of its partners had attacked SickKids, violating its rules, so it blocked the affiliate.
“We formally apologize for the attack on sickkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” reads the message published by LockBit on its Tor leak site.
On December 18th, SickKids suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website.
While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times. On December 29th, SickKids announced that it had restored 50 percent of its priority systems, including those causing diagnostic or treatment delays. By January 1, the hospital said it had restored 60 percent of the priority systems.
It also responded to the offer of a decryptor in a short statement on the hospital website: “The Hospital for Sick Children (SickKids) is aware of the statement issued online by a ransomware group that included an offer of a free decryptor to restore systems impacted by the cybersecurity incident. We have engaged our third-party experts to validate and assess the use of the decryptor.
“As of January 1, SickKids has already restored over 60 percent of priority systems; restoration efforts are ongoing and progressing well. There is no evidence to date that personal information or personal health information has been impacted. SickKids has not made a ransomware payment.”
The National Post newspaper reported that, “Even if SickKids decided to use a LockBit decryptor, experts say the hospital still faces a number of hurdles. Ransomware groups are good at scrambling files, said Chester Wisniewski, a Vancouver-based principal research scientist with cyber-security firm Sophos. “They’re not so good at unscrambling them,” he said.
Healthcare organizations who use a ransomware group’s decryptor, because they paid a ransom or otherwise, recover on average about two-thirds of their files, said Wisniewski, citing a Sophos survey of hundreds of organizations. The protracted and expensive work of decryption is also left to the organization itself, not to mention the cost of hiring third-party experts to review, investigate and rebuild after the hack.
The LockBit operation runs as Ransomware-as-a-Service, where the operators maintain the encryptors and websites, and the operation’s affiliates, or members, breach victims’ networks, steal data, and encrypt devices.
As part of this arrangement, the LockBit operators keep approximately 20 percent of all ransom payments and the rest goes to the affiliate, according to the netsecurity.com website.
The threat of ransomware was a top concern of corporate executives in the fall of 2021, reported Gartner, a technology research and consulting firm. Just over a year later, organizations find themselves facing an escalation of that very threat with the rise of professional cyber-criminals.
The Cybereason.com website contends that new ransomware gangs have surfaced within the past few months, bringing new techniques with them.
Between January and March 2022, two ransomware gangs were quite active: LockBit 2.0 and Conti, with LockBit 2.0 responsible for 38% of ransomware attacks within that time frame, and Conti making up another 20%.
Both groups are known for threatening to post compromised data on leak sites in double extortion schemes unless the ransom is paid.
Inside the past year, we’ve also seen these less active (but no less dangerous) ransomware gangs disrupting organizations around the world:
- BlackCat/ ALPHV, a Ransomware-as-a-Service (RaaS) platform, has been around since last November and plays off stolen user credentials while consistently implementing a double extortion strategy as well as occasionally resorting to triple extortion with a DDoS attack. Believed to be a descendent of BlackMatter and targeting no less than 60 organizations in March 2022 alone, BlackCat caused enough trouble to warrant its own FBI flash alert.
- Hive, not to be outdone, apparently outranked even BlackCat in the growth of its operations, ranking third in activity in March 2022 with 188% growth overall since February. It focuses over 30% of its efforts on the industrial sector, but is not afraid to target schools and healthcare, even forcing a hospital to use paper charts last June that caused the cancellation of urgent medical procedures. The FBI and CISA had to step in to help respond to the incident, which ultimately resulted in the hospital paying the ransom demand. Hive also employs a double extortion scheme, encrypting victims’ data and threatening to release it on its Tor site in the event of non-payment.
- Vice Society, around since June of 2021 is also responsible for attacks on hospitals that have culminated in leaked patient information. It is similar to Hive in that both run a site where leaked data will be published if the ransom isn’t paid.
- BlackByte took down the San Francisco 49ers’ corporate IT network a day after the FBI released a warning about the group. The attackers gained access via a known vulnerability within Microsoft Exchange, resulting in lateral movement across the network and file exfiltration and encryption. It falls under the category of Ransomware as a Service (RaaS) and does not target Russia or former Soviet Bloc regions.
- Hello Kitty, also known as Five Hands, was responsible for a ransomware note left with game developer CD Projekt Red, the studio behind Cyberpunk 2077 and the Witcher trilogy. Their method: demand a ransom, then run DDoS interference if the victim refuses to pay, compromising their ability to organize an effective response.
- Lapsus$ was also very active in the first quarter of 2022. While the group made it widely into the media, they are suspected of having exaggerated claims and made dubiously backed allegations to increase their notoriety and put increased pressure on victims. Largely an extortionist gang (as opposed to one that would encrypt files), they were known for leaking victim information on their Telegram chat.
- Night Sky, first observed during the last week of 2021, is yet another ransomware gang capitalizing on the double extortion model made popular by Maze in 2019 and in use ever since by at least 16 different groups. They exfiltrate your data, encrypt it and, as if that wasn’t enough, threaten to leak or sell your data should you refuse to pay.
- Stormous is another ransomware group making headlines in 2022, largely by publicly pledging to support the Russian government in the wake of the Russian-Ukrainian conflict. Known as a “scavenger operation,” the group targets past victims of successful ransomware attacks by other groups and seeks to extort them again, but some security researchers were unable to verify many of their claims to compromise.
- Zeon, yet another double extortion operator, was discovered by Twitter user dnwls0719 (a cybersecurity analyst) and is known for encrypting the victim’s files then fairly reliably delivering the decryption key upon payment.
- Pandora is another ransomware gang that has made headlines. Over a weekend in March of 2022, multibillion dollar automotive company Denso reported being attacked by the group, resulting in unauthorized access and the subsequent shutdown of all affected devices on the network. It is yet another in the growing pool of double-extortion attackers.
- Sugar, another Ransomware as a Service (RaaS) platform, targets individual computers and is known to some as Encoded01. This particular gang was discovered by the Walmart Security Team and has been active since November of last year. RaaS is a light-weight service option for cybercriminals lacking heavy skills to leverage cheap ransomware attack services.
- And last but not least, the recently emerged Quantum Locker ransomware. First seen in August of 2021, their attacks are known for being incredibly fast, leaving their victims virtually defenseless. “The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker,” states Bleeping Computer.
As Gartner notes, “the ransomware business model has become more specialized and otherwise efficient, including ‘ransomware-as-a-service,’ and demand for bitcoin payouts, resulting in a proliferation of attacks. The technology for the attacks themselves also evolves, with viruses that linger and infect backup systems, do not rely on phishing as a vector, harder-to-identify viruses such as ‘fileless’ and ‘crypto-jacking’ attacks.”