Close this search box.

Throwback Attack: Christmas attack on SickKids hospital prompts rare apology from LockBit

Equipment at a health care facility
Courtesy: CFE Media and Technology

Over the years, a standard formula for Christmas movies has been well established. Some villainous miscreant attempts to sabotage the holiday season, ruining it for a group of kind-hearted but downtrodden children. In the end, the Christmas spirit reigns supreme, and goodness triumphs over evil (See: “A Christmas Carol,” “Home Alone,” et al.). In a perfect malevolent storm of Grinchian proportions, hackers attempted to make this cinematic trope a reality just days before Christmas in 2022. On Dec. 18, Canada’s Hospital for Sick Children, better known as SickKids, was hit by a LockBit ransomware attack that impacted its internal systems, phone lines and website.

Attacks on critical infrastructure have been on the rise in recent years. According to the 2022 IBM Cost of a Data Breach Report, “Concerns over critical infrastructure targeting appear to be increasing globally over the past year, with many governments’ cybersecurity agencies urging vigilance against disruptive attacks. In fact, IBM’s report reveals that ransomware and destructive attacks represented 28% of breaches amongst critical infrastructure organizations studied, highlighting how threat actors are seeking to fracture the global supply chains that rely on these organizations. This includes financial services, industrial, transportation and health care companies amongst others.”

But the attack on SickKids had a perfectly cinematic twist ending — the LockBit ransomware gang apologized for the attack and released a free decryptor for the hospital.

The attack on SickKids

SickKids is a teaching and research hospital in Toronto that, as the name advertises, provides health care to sick children. When LockBit ransomware hit their networks at 9:30 p.m. on Dec. 18, 2022, there was immediate concern that impacted systems would be offline for a prolonged period of time, impacting patient care and potentially harming families.

“The Hospital for Sick Children (SickKids) is continuing to respond to the cybersecurity incident (Code Grey) that began at 9:30 p.m. on Sunday, December 18,” read a release from the hospital. “Work continues to bring all impacted systems back online and it is anticipated that it will be a matter of weeks before all systems are functioning as normal. Clinical and operational teams are implementing back-up procedures for systems that are not yet accessible.”

Luckily for SickKids, the attack only encrypted a few systems. While scheduled appointments and procedures continued, the hospital’s clinical teams experienced delays with retrieving lab and imaging results, which they warned would likely cause longer wait times for patients and families.

SickKids immediately put their emergency recovery plans into place and began working with third-party organizations and law enforcement to resolve the situation. By Dec. 29, the pediatric medical center announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays.

What is LockBit ransomware?

LockBit, formerly known as ABCD, is the name given to a specific type of malware as well as the gang that produces it. It’s basically a standard ransomware tool that blocks user access to files and systems in exchange for a ransom payment, but the LockBit criminal organization also licenses and distributes this malware as ransomware-as-a-service (RaaS). RaaS has dramatically lowered the bar for entry to criminal gangs and hackers looking to disrupt operations, steal data or extort organizations for financial gain. Typically, when an RaaS is used to attack a business, the affiliate will share a cut of the profits with the parent company.

Like many other ransomware groups, LockBit is thought to be connected to Russia and Eastern Europe and typically demands payment in cryptocurrency, often bitcoin. Since its introduction in 2019, LockBit has emerged as one of the most prolific types of ransomware currently in use. Its variants have been blamed for a number of high-profile attacks, including a recent one on the U.K.’s Royal Mail and other attacks on health care facilities. Though the group has attempted to keep a low profile, the sheer volume and growing audaciousness of LockBit-based attacks has shone a spotlight on it.

According to a Department of Justice filing from May 2023, “LockBit actors have executed over 1,400 attacks against victims in the United States and around the world, issuing over $100 million in ransom demands and receiving over $75 million in ransom payments.” The U.S. Federal Bureau of Investigation has called LockBit one of the most active and destructive ransomware groups in the world.

Wired released a detailed article on LockBit in January 2023, where it noted that the group is also having a major impact on the industrial space.

“Adding to its infamy, LockBit is also one of the most prolific and aggressive ransomware groups when it comes to targeting manufacturing and industrial control systems,” read the Wired article. “Security firm Dragos estimated in October that in the second and third quarters of 2022, the LockBit malware was used in 33 percent of ransomware attacks on industrial organizations and 35 percent of those against infrastructure.”

Backtracking on the SickKids attack

LockBit has gained a reputation as one of the most efficient and professional ransomware groups out there, and they’re not known for their kindness or remorse. The attackers behind the Royal Mail intrusion reportedly demanded $80 million, and the Center Hospitalier Sud Francilien in France was ransomed for $10 million.

But SickKids was different. Perhaps as a result of the worldwide media attention the attack garnered – the story had everything: suffering children, shady criminals, the Yule season – the LockBit ransomware group quickly backtracked, not only apologizing to the hospital but also offering a free decryption tool. Though the group licensed the malware to the attackers, they did not stand behind their work. On its underground website, LockBit posted: “We formally apologize for the attack on and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.”

SickKids ultimately did not make any ransom payment and released a statement on Jan. 1, 2023, saying that they were assessing the use of the decryptor tool since their own recovery efforts were going well. At that point, the hospital had already restored more than 60% of its priority systems.

The tricky part of this whole escapade is that LockBit runs a RaaS business, where they typically run the websites and encryptors, but the affiliates, or partners, are responsible for the attacks. According to an article in Bleeping Computer, LockBit’s rules allow for encryption of pharmaceutical companies, dentists and plastic surgeons, but they prohibit attacks on medical centers where the breach could lead to death.

“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed.”

Of course, when it comes to cyber crime, “rules” are made to be broken. LockBit has a long history of encrypting data at hospitals and not providing decryptors.

How to protect your systems from LockBit

LockBit has earned a reputation as one of the most dangerous and successful ransomware operations for a reason. While it’s impossible to completely ransomware-proof your systems, every organization should take basic cyber hygiene steps to minimize the damage and become more resilient. Cybersecurity company Kaspersky recommends the following seven steps to help protect against ransomware like LockBit.

  1. Strong passwords should be implemented.
  2. Activate multifactor authentication.
  3. Reassess and simplify user account permissions.
  4. Clean out outdated and unused user accounts.
  5. Ensure system configurations are following all security procedures.
  6. Always have system-wide backups and clean local machine images prepared.
  7. Be sure to have a comprehensive enterprise cybersecurity solution in place.

LockBit has remained dangerous and productive since its inception because it has been run like a business, maintaining standards for which types of attacks are acceptable and operating with a modicum of professionalism. But riskier attacks like the ones on the Royal Mail and SickKids have raised its profile and put it squarely on the radar of international law enforcement.

If nothing else, LockBit learned one important lesson from the SickKids incident: The holiday spirit always wins out.




Keep your finger on the pulse of top industry news