Toronto Hospital Gauges Whether to Use LockBit DecryptorLockBit Says Affiliate Broke Its Rules in Ransomware Attack on Children's Hospital
Toronto's Hospital for Sick Children says it is evaluating decryptor keys published by hackers responsible for a mid-December ransomware attack that caused delays in patient care.
The pediatric teaching hospital says the Dec. 18 incident affected internal clinical and corporate systems as well as some hospital phone lines and webpages. It warned patients about delays in retrieving lab and imaging results and told staff it had activated an emergency recovery plan to ensure salary payments (see: Children's Hospital Expects Weekslong Ransomware Recovery).
In periodic updates including its most recent, published on Sunday, the hospital has repeatedly stated that there is no evidence the attack affected personal data, including health information. The hospital says it did not make a ransomware payment.
Ransomware-as-a-service group LockBit claimed responsibility, stating on its leak website that a now-disowned affiliate initiated the attack. The group "formally" apologized and published on the dark web a file it said would decrypt affected files.
The hospital says it hired "third-party experts to validate and assess the use of the decryptor" and that it already has restored 60% of the affected systems.
LockBit's self-published policy for affiliates says ransomware attacks "where damage to the files could lead to death" at institutions "where surgical procedures on high-tech equipment using computers may be performed" are off-limits. The policy approves the theft without encryption of medical data and "pharmaceutical companies, dental clinics, plastic surgeries, especially those that change sex."
Ransomware attacks on hospitals can have potentially fatal consequences even if they're not directly responsible for a patient death. A September 2021 analysis by the U.S. Cybersecurity and Infrastructure Security Agency says cyberattacks can contribute to increased patient mortality by degrading hospital capacity (see: CommonSpirit's Ransomware Incident Taking Toll on Patients).