Fraud Management & Cybercrime , Healthcare , Industry Specific

Toronto Hospital Gauges Whether to Use LockBit Decryptor

LockBit Says Affiliate Broke Its Rules in Ransomware Attack on Children's Hospital
Toronto Hospital Gauges Whether to Use LockBit Decryptor
Image: Raysonho/CC0 1.0

Toronto's Hospital for Sick Children says it is evaluating decryptor keys published by hackers responsible for a mid-December ransomware attack that caused delays in patient care.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

The pediatric teaching hospital says the Dec. 18 incident affected internal clinical and corporate systems as well as some hospital phone lines and webpages. It warned patients about delays in retrieving lab and imaging results and told staff it had activated an emergency recovery plan to ensure salary payments (see: Children's Hospital Expects Weekslong Ransomware Recovery).

In periodic updates including its most recent, published on Sunday, the hospital has repeatedly stated that there is no evidence the attack affected personal data, including health information. The hospital says it did not make a ransomware payment.

Ransomware-as-a-service group LockBit claimed responsibility, stating on its leak website that a now-disowned affiliate initiated the attack. The group "formally" apologized and published on the dark web a file it said would decrypt affected files.

The hospital says it hired "third-party experts to validate and assess the use of the decryptor" and that it already has restored 60% of the affected systems.

LockBit's self-published policy for affiliates says ransomware attacks "where damage to the files could lead to death" at institutions "where surgical procedures on high-tech equipment using computers may be performed" are off-limits. The policy approves the theft without encryption of medical data and "pharmaceutical companies, dental clinics, plastic surgeries, especially those that change sex."

Ransomware attacks on hospitals can have potentially fatal consequences even if they're not directly responsible for a patient death. A September 2021 analysis by the U.S. Cybersecurity and Infrastructure Security Agency says cyberattacks can contribute to increased patient mortality by degrading hospital capacity (see: CommonSpirit's Ransomware Incident Taking Toll on Patients).

LockBit has been active since 2019. Recent victims include the Port of Lisbon, France's Thales Group and German auto parts maker Continental, among others.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.