LockBit ransomware group issues an apology to Canada’s biggest pediatric hospital and provides a free decryptor

SickKids Hospital, located in Toronto, is a center for medical education and research with a primary emphasis on the treatment of ill children. On December 18th, the hospital was hit by a ransomware attack that affected not just the internal systems but also the corporate systems, as well as the website and the hospital phone lines. SickKids said that the incident resulted in lengthier patient wait times and caused delays in getting lab and imaging data. Despite the fact that the attack only encrypted a few systems, the hospital indicated that the event caused delays.

According to a researcher in threat intelligence, two days after the most recent notification made by SickKids, the LockBit ransomware group issued an apology for their attack on the hospital and made a decryptor available for free.

The ransomware gang issued the following statement in response to the attack on sickkids.ca: “We publicly apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital broke our rules, is banned, and is no longer in our affiliate program.”

The file, which purports to be a Linux/VMware ESXi decryptor, is offered without charge and may be downloaded here. It seems that the attacker could only encrypt virtual computers on the hospital’s network since there is no extra Windows decryptor.
The LockBit operation is a Ransomware-as-a-Service, which means that the operators are responsible for maintaining the encryptors and websites, while the operation’s affiliates, also known as members, are the ones that break into victims’ networks, steal data, and encrypt victims’ devices. In accordance with the terms of this agreement, the operators of LockBit will retain about twenty percent of each ransom payment, while the remaining eighty percent will be sent to the affiliate.

Although the ransomware operation permits its affiliates to encrypt pharmaceutical companies, dental offices, and plastic surgeons’ files, it forbids its affiliates from encrypting “medical institutions” where attacks could result in death. Pharmaceutical companies, dentists, and plastic surgeons are exempt from this ban.

The regulations of the ransomware operation state that “it is banned to encrypt institutions where damage to the data might result in death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical operations on advanced technology employing computers may be done.”


Consequently, the LockBit ransomware gang has distributed a free decryptor for the Hospital for Sick Children (also known as SickKids), citing the fact that one of its members broke the rules by attacking the healthcare facility.