TORONTO — A global ransomware operator has issued an apology and offered to unlock data from a ransomware attack on the Hospital for Sick Children in Toronto, a move cybersecurity experts say is rare, if not unprecedented, for the notorious group.
LockBit, a ransomware group that created the U.S. FBI as one of the most active and destructive agencies in the world, released a dark account of its ransomware and data breaches on Dec. 31 to what cybersecurity experts say. The website offered a brief apology.
In a statement directly verified by The Canadian Press, LockBit claimed to have blocked the "partner" responsible for the attack and provided SickKids with a free decryptor to unlock their data.
"As far as I’m aware, this is the first time they’ve issued an apology and offered to hand over a free decryptor," said Brett Carlo, a threat analyst at Emsisoft, a British Columbia-based anti-malware firm that tracks ransomware attacks.
U.S. officials claim the group has demanded at least $100 million in ransom and extorted tens of millions of victims.
“They are one of, if not the most active group,” Callow said.
“These attacks can sometimes originate much closer to home than we realize. We think the attacks are coming in from Russia or [Commonwealth of Independent States] countries, whereas in some cases, they could be originating from within our own border,” Callow said.
SickKids acknowledged on Sunday that it was aware of the claim and said it was consulting experts to "verify and evaluate the use of the decryptor."
The hospital is still recovering from a cyberattack that delayed lab and imaging results, cut phone lines and shut down employee payroll systems.
SickKids said more than 60 percent of its "priority systems" were back online as of Sunday, including many that were causing delays in diagnosis and treatment, and the restoration was "making good progress."
The hospital previously said it shut down two websites it operates on Friday after reports of "possible unusual activity," although it said the activity did not appear to be related to the cyberattack.
The hospital is still under Code Gray (hospital system fault code), which was issued on Dec. 18 in response to the cyber attack.
Even if SickKids decides to use the LockBit decryptor, experts say hospitals still face many hurdles.
“They’re not so good at unscrambling them,” he said.
Citing a Sophos survey of hundreds of organizations, Wisniewski said healthcare organizations that used a ransomware group's decryptor as a result of paying a ransom or for other reasons recovered on average, about two-thirds of their files. The tedious and costly work of declassification is also left to the organizations themselves, not to mention the cost of hiring third-party experts to review, investigate and recover from hacks.
Then there's the question of LockBit's partners, Callow said.
Experts say LockBit operates like a criminal multi-level marketing scheme, renting out its malware to hacker affiliates in exchange for a cut of the ransom they demand. LockBit stated that attacking the SickKids affiliate was no longer part of its plan, but it was unclear whether the affiliate still held any files that might have been stolen in the SickKids attack, Callow said.
“That data could now be in the hands of someone who is quite pissed off at having been unable to monetize this particular attack,” he said.
SickKids said there was "no evidence yet" that personal information had been compromised, but experts said they were skeptical about the statements pending a full investigation.
In the meantime, Wisniewski said that LockBit's apology appears to be a way to preserve its image.
The group competes with other well-known malware operators who also try to trick hackers into using their systems for profitable cyberattacks, he said. Hackers seem to switch between carriers quite often.
He suggested the move could target partners who may have deemed the attack on the children's hospital excessive.
“My instinct would be this is more aimed at criminal affiliates themselves trying to not disgust them into switching into a different ransom group,” said Wisniewski.
The Canadian Cyber Security Center said that while it was aware of recent cybersecurity incidents involving SickKids, it would not comment on specific incidents.
A spokesman for the center, which reports to the federal communications security agency, said in a statement that cybersecurity incidents pose an ongoing threat to the Canadian government and non-government organizations, as well as critical infrastructure.
“Generally speaking, the Cyber Centre has noticed an increase in cyber threats during the COVID-19 pandemic, including the threat of ransomware attacks on the country’s front-line healthcare and medical research facilities,” said Evan Koronewski.
He said over 400 healthcare organizations in Canada and the United States had experienced a ransomware attack since March 2020.
“Cybercriminals typically cast a wide net, not usually against specific targets, seeking a financial profit,” said Koronewski. “While the threat to individuals from ransomware remains, other cybercriminals have shifted their tactics, placing more resources into targeting larger and more financially lucrative targets.”
LockBit was involved in an attack on a French hospital last year that reportedly needed millions of dollars to restore the network, Callow said. He added that it was also related to recent ransomware attacks targeting the cities of Sainte-Marie, Ontario, and Westmont, Quebec.
In this case, the potential impact of large children's hospitals on patient care cannot be ignored, Callow said.
“Delayed treatment, delayed diagnostics — the impact of those may not be clear until weeks, or months, or years, even after the event,” Callow said.
This report by The Canadian Press was first published on Jan. 2, 2023.
Source: By Jordan Omstead The Canadian Press / TheRecord
Comentários