Lockbit ransomware gang encrypts children’s hospital, apologizes, returns data

Share This Post

- Advertisement -

block tip, one of the largest ransomware gangs in the world, encrypted the data of a children’s hospital in Toronto, Canada and had to apologize. In addition, he returned the stolen information to the clinic.

- Advertisement -

Ransomware is a type of virus that blocks access to files and demands a ransom in exchange. In the case reported this week, a Toronto children’s hospital called sick people, had its systems affected on December 18. The attack affected telephone lines, internal systems and the website, which was reached by the general public.

SickKids explained that they were unable to handle lab and imaging results, which affected the delay times by patients.

- Advertisement -

Later, on December 29, the clinic reported that it had recovered 50% of your systemsrestoring correct operation and avoiding delays.

Cybercriminals and Affiliates: The RaaS Model

To understand the model under which Lockbit operates, it must be taken into account that they have affiliates, in a system called Raas: Ransomware as a Service.

“Gangs that have this mode sell their malicious code. This usually happens through the dark web: there they sell their encryption program and look for someone to distribute it. The company or affiliate It could be an employee of the attacked company or someone who bought the service to deposit it with a victim, because they have privileged access,” explains to Clarín Arturo Torres, Intelligence Strategist against Threats for FortiGuard Labs for Latin America and the Caribbean .

“When ransomware is distributed and a company is infected, extortion and negotiation begin. That is when the gang begins to interact. After negotiation, the profits are shared between the creator of the malicious code, i.e. the group of criminals hackers, and their affiliates” , adds the Fortinet expert, Lockbit is known to have given him the 20% of the profit economic to their partners.

It is at this very moment that Lockbit distanced itself from its affiliate and apologised.

“We formally apologize for the attack on sikkids.ca and give them the decryptor free of charge. The partner who attacked this hospital violated our rulesis blocked and is no longer in our affiliate program,” they said.

Lockbit’s policy is not to attack the critical systems of hospitals and healthcare institutions. That is, those on which the correct functioning to treat patients, manage hospitalizations and treatments depends.

However, some experts warn that it has more to do with a matter of image than ethics: “LockBit has attacked hospitals before – despite the fact that it supposedly goes against their rules – it is likely that they have done it this time. Why attack a children’s hospital? not the best for your business”, Risks Brett Callow, Emsisoft security analyst.

“Other companies would be more reluctant to pay LockBit, as they wouldn’t want to be seen as funding a group of cybercriminals who gleefully endanger the lives of children. That would be bad press for them,” he analyzes.

Indeed, in August last year, Lockbit encrypted a hospital in France, the Center Hospitalier Sud Francilien in Paris, and asked 10 million dollars.

Another problem with healthcare institutions is that many of them lack robust and secure network systems. And that some gangs may not have control over their affiliates.

As Torres, of Fortinet, explains: “Even if the groups say they will not attack critical health institutions, many times they fail to have control over their affiliates. In the Fortinet report we have seen that many groups have started to disband or create more groups and variants of ransomware: it is difficult to say which groups have this no-attack policy and which instead, everything can go out of control like it did with Lockbit”.

It is worth mentioning that Lockbit is one of the biggest cybercriminal gangs in the world. Its local victims include Osde Prepaid, which has seen a large amount of patient information leaked, and Ingenio Ledesma. Worldwide, they have successfully accessed the systems of nearly 200 victims, ranging from airlines, automotive and mining companies to media, hospitality and transportation companies.

His motivation is purely economic: “The higher the income of the company, the better. There are no decisive factors [para encritptar]If there’s a goal, you have to work at it. The location of the target doesn’t matter, we attack whoever is in our sights,” one of its members said in an interview with security firm Flashpoint.

However, as they explained on this occasion, critical health systems are their limit.

What is a “decrypter” and how do they return data

The information that began to circulate in the information security environment was that Lockbit had returned the files. This is done through adecryptor”, i.e. a decryptor.

To understand this, it is essential to know how victims’ files are encrypted: “When data hijacking occurs, the malware [virus] generates a set of cryptographic keys that will allow you to encrypt files and reverse the process just by using them. After paying the ransom victim get the decryptorthe recovery key and even the right to technical support live to assist in the recovery process,” explains Luis Ramírez Mendoza, researcher and safety engineer.

“By paying for this extortion, the files are not automatically made available as if by magic, but rather there is a process. To recover normalcy before the crash, we have to decrypt the files using a program called a decrypter, which is provided by the attacker once the ransom is paid,” he adds.

“After running the Decrypter, files will revert to their previous state at best (there have been cases like with Babuk where specific formats end up being unrecoverable). Recall that this type of illegal businesses make no guarantees”, he warns.

That is why it is crucial to have backups of critical information (backups): “For any company involved in a ransomware attack, the most important thing is to recover the hijacked information as quickly and discreetly as possible. In the absence of a proper policy of backups and disaster recovery, many victims are forced to pay the ransom imposed by their attackers,” he concludes.

The specialized site Bleeping Computer was able to confirm that the Lockbit decrypter for the SickKids hospital is freely available free.

Source: Clarin

- Advertisement -

Related Posts