Ransomware gangs are known for many things, none of them good, but for a change, it turns out some of them do have a heart when it comes to sick children in hospitals.

The infamous LockBit ransomware gang has released a free decryptor for the Hospital for Sick Children in Toronto, Canada after one of their affiliates targeted the hospital in a ransomware attack. The ransomware attack was detected on Dec. 19 and affected several network systems resulting in a “Code Grey – system failure.”

The attack impacted internal clinical and corporate systems, hospital phone lines and web pages. Fortunately, the attack did not affect patient care and the hospital claimed that there was no evidence of personal and health information being impacted.

In a statement on its leaks site on Dec. 31, LockBit apologized for the attack and released the decryptor. “We formally apologize for the attack on sikkids.ca and give back the decryptor for free,” the statement reads. “The partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.”

LockBit operates on a ransomware-as-a-service model where affiliates use already developed ransomware to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment, with LockBit earning money without the need to employ people to undertake ransomware attacks directly.

Bleeping Computer reports that the decryptor file appears legitimate but notably claims to be a Linux/VMware ESXi decryptor, with no support for Windows. This is said to indicate that the LockBit affiliate was only able to encrypt virtual machines on the hospital’s network.

First observed in 2019, LockBit is one of the most prolific ransomware gangs, with attacks against Accenture PLC and Bangkok Airways Public Co. Ltd. among its many successful targets. Despite repeated attempts by law enforcement and others to bring LockBit down, including the arrest of an affiliate in November, the gang, through its affiliates, continues to target companies and organizations across the globe.

While ransomware remains a severe ongoing issue, a report in October surprisingly found that despite media reports, it’s not actually getting worse. The Digital Shadows Ltd. report found that the number of ransomware attacks was dropping. The drop in ransomware attacks was attributed to ransomware actors regrouping and refocusing after a busy start to the year. The report highlighted LockBit as the most prolific ransomware group in the third quarter of 2022.

Photo: Raysonho/Wikimedia Commons