At Adaptive Office Solutions we’ve seen all sorts of cyber attacks, but nothing boils our blood more than hackers who target infrastructures that affect the lives of children.
We’ve written about how a school lunch provider hacked into the website of a competitor and downloaded student information, including meal preferences, allergies, and grades. Then, there was a data breach for the Boy Scouts wherein children’s full names, dates of birth, email addresses, phone numbers, parent names, etc were exposed. And the current wave of cyber attacks on K-12 schools is staggering, as are the educational teleconferences and online classrooms that are disrupted by pornographic or hate images and threatening language.
Those are deeply disturbing examples (especially the last one), but the hack that takes the cake? A ransomware attack on The Hospital for Sick Children in Toronto.
According to an article by Healthcare IT News, they wrote, “On December 18, 2022, SickKids was hit with ransomware and operations went to “Code Grey,” according to an announcement on the hospital’s website.
“Clinical teams are currently experiencing delays with retrieving lab and imaging results, which may cause longer wait times for patients and families,” the hospital said on December 22.
Other affected systems included employee timekeeping and pharmacy submissions.
On December 29, the Toronto hospital announced that nearly half of the affected systems had been restored.
According to Globalnews.ca, the LockBit ransomware group that provides affiliates access to malware for a cut of the ransom profits then issued an apology on the dark web on the last day of the year, which was then posted to Twitter.
In the statement, the ransomware organization allegedly blamed a partner and offered a free decryptor for the hospital to unlock its data.
Even with a ransomware group’s decryptor, healthcare organizations only recover on average about two-thirds of their files, said Chester Wisniewski, a Vancouver-based principal research scientist with Sophos, according to the news report.
Affiliates have a tendency to scramble data, he said.
The purpose of LockBit’s now-viral statement could be to discourage other affiliates that might see attacking a children’s hospital as an overstep from defecting to another ransomware group, Wisniewski added.
SickKids posted an additional statement to its website that it was aware of the group’s apology and is analyzing the decryptor. The hospital also said it did not make a ransom payment, and that there is no evidence to date that personal information or personal health information has been impacted.
Brett Callow, a threat analyst with anti-malware company Emsisoft, told the Canadian newsgroup that there is still the question if the allegedly cut-off LockBit affiliate partner still has the hospital’s data.
A spokesman from the Communications Security Establishment noted in the story that more than 400 healthcare organizations in Canada and the United States have experienced a ransomware attack since March 2020.
THE LARGER TREND
In 2021, the Health Sector Cybersecurity Coordination Center released a 31-page briefing on LockBit, its launch of the LockBit 2.0 affiliate program, and its recruiting efforts for its ransomware-as-a-service program.
“The only thing you have to do is to get access to the core server, while LockBit 2.0 will do all the rest,” according to LockBit’s documentation that HC3 had obtained.
Through an interview with a LockBit ransomware operator, the cybersecurity arm of the U.S. Department of Health and Human Services indicated that the cyber gang has a measure of ethics.
It won’t operate in certain states like Belarus and Russia for having “a contradictory code of ethics,” and may have disdain for those who attack healthcare entities, said HC3.
However, “While threat actors may state publicly that their personal ethics influence their target selection, many adversaries go after the easiest victims regardless of any moral obligation, based on our experience,” according to the briefing.
Healthcare cybersecurity experts encourage the industry to fight cybercrime-as-a-service with security collaboration because lives – like those at SickKids – suffer the diversions of care that inevitably follow ransomware attacks.
ON THE RECORD
“These attacks can sometimes originate much closer to home than we realize,” Callow told Canadian news.
“We think the attacks are coming in from Russia or Commonwealth of Independent States countries, whereas in some cases they could be originating from within our own border,” he said, noting that LockBit malware was connected to recent ransomware attacks on two small municipal governments – St. Mary’s, Ontario, and Westmount, Quebec.
Lest you think the communication between the hackers and the SickKids CEO, take a look at this article by the Star…
SickKids attack pulls ransomware’s ‘Robin Hood’ into the spotlight
“The CEO was losing their patience.
Their company had been hacked, their data stolen, and they were now deep into a heated negotiation with a representative of the organization that was holding their files for ransom.
In a moment of frustration, the company CEO started swearing.
That, the negotiator informed them, was unacceptable.
“He said, ‘Sir, I’m sorry, I’ve been nothing but respectful to you. If you can’t be respectful to me, then we’re going to end this conversation,’” recalls Allan Liska, a cybersecurity expert who helps companies retrieve their assets and the author of the book Ransomware: Understand. Prevent. Recover.
“And I’m like, you’re a thief, you bastard. You don’t get to be indignant about somebody cussing at you.”
It’s a glimpse into the veneer of professionalism and civility practiced in the world of ransomware — a milieu that was cast into the spotlight yet again this week amid an attack on the Hospital for Sick Children in Toronto.
Ransomware is when a hacker takes over a company or institution’s computer network, encrypts the files, then forces them to pay before they can regain control or access their own data.
The groups perpetrating them often describe the attacks as a service known as pen testing, or penetration testing, claiming they’re actually helping companies identify security vulnerabilities in their systems.
“When some of them release the key (the password needed to decrypt the stolen files) and victims pay, they’re like ‘Well, here’s how we got in. And here’s how we moved around. And here’s what we recommend you moving forward to protect yourself,’” Liska said.
It’s a lucrative business. In 2021, Canadian companies paid more than $600 million to recover their digital assets due to ransomware attacks, according to Statistics Canada, up from $400 million in 2019.
And that’s only the private sector; there have also been attacks on the government, notably when hackers targeted Newfoundland and Labrador’s healthcare system, froze the province’s online infrastructure, and “accessed” patients’ personal information. The attack affected medical procedures.
Last week, SickKids was the victim of a cyber attack, before the shadowy organization LockBit took credit for its software being used … and apologized.
LockBit blamed the attack on a “partner.”
“We formally apologize for the attack on sikkids.ca (sic) and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked, and is no longer in our affiliate program,” LockBit said on its website, which can only be accessed via the deep web.
Cybersecurity experts who spoke to the Star said it’s not the first time a children’s hospital has been the victim of a ransomware attack, but it’s the first time they’ve seen a group apologize for it.
In its most recent update, SickKids said it has restored more than 60 percent of its priority systems and that restoration efforts were ongoing. It added that it has not made a ransomware payment and that there’s no evidence to date patients’ personal information has been compromised.
The hospital also said it was aware of a statement by the group about a free decryptor and was using third-party experts to evaluate it.
Through a contact listed on its website, a LockBit representative said it would answer questions from the Star but ultimately did not provide a written response before the publication of this story.
It’s unclear why LockBit decided to apologize for the attack, or what rule the partner violated, but LockBit has something resembling a code of conduct on its website, including who and what are off limits.
LockBit makes no mention of children’s hospitals but states that “critical infrastructure” — such as nuclear and hydroelectric power plants — are forbidden targets, as is the oil and gas industry.
It’s not that the organization suddenly grew a conscience out of its sympathy for sick children, contends Brett Callow, a threat analyst with anti-malware company Emsisoft, but more likely that it is simply mindful of the optics of attacking a children’s hospital.
“I wouldn’t say (they have) compassion at all. I would say business sense. … They could have simply decided that this attack really wasn’t a good idea because it would make it harder for them to collect ransoms in the future,” Callow said. “Companies just aren’t going to want to be seen to be financing a group that attacks kids hospitals.”
It turns out that LockBit is a third-party provider. LockBit is the name of the software used to hack into security systems, as well as the group that contracts it out.
BlackBerry, which has transitioned from mobile devices to cybersecurity primarily, says the LockBit group describes itself as the “Robin Hood” of ransomware groups because it purportedly does not target health care, education, charitable, or social service organizations.
LockBit’s business model involves the group offering its hacking software to “affiliates,” or partners, then taking 20 percent of the proceeds when the hacker successfully gets its victim to pay a ransom.
Liska described it as “the most evil multilevel marketing plan that you’ve ever seen.”
Meanwhile, the partner is responsible for launching the attack, which can be something as simple as a false link in an email, known as phishing. Once they find an entry point or backdoor, they will retrieve administrator credentials, encrypt the system’s data and steal files.
This allows LockBit to essentially sit back and let its partners do the dirty work.
“If you’re a ransomware operator, the people that make this software, they’re untouchable,” says David Shipley, CEO and co-founder of Beauceron Security.
“They’ve got HR teams, subcontractors, and contractors who may not even know that they’re developing code (for hackers). These are sophisticated operations,” he added.
In a post on a Russian-language cybercrime forum, an account named LockBitSupp explained there was a delay in discovering that one of its partners had attacked a children’s hospital.
According to the post, someone reached out to LockBit and called them “scoundrels” for the attack.
“I figured out the situation, punished the guilty, and issued a decryptor. No one was hurt or died.”
LockBit also forbids its partners from attacking Russia and any post-Soviet countries, which it claims is because most of its developers and partners were born and grew up in the Soviet Union.
The company says it is based in the Netherlands, although Callow and Litka said it’s almost certainly based in Russia.
LockBit says it allows its partners to attack non-profit organizations and schools and says it is “very commendable” to attack police stations and other law-enforcement agencies because they “do not appreciate our useful work.”
“It is allowed to very carefully and selectively attack medical related institutions such as pharmaceutical companies, dental clinics, plastic surgeries, especially those that change sex,” LockBit’s website states.
“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like. … It is allowed to steal data from any medical facilities without encryption.”
Cybersecurity experts told the Star LockBit is among the “top tier” of ransomware groups. Their ransom demands have raked in at least $100 million to date, according to a November statement from the United States Department of Justice, detailing the arrest of a Russian-Canadian man affiliated with LockBit.
The release called LockBit’s software “one of the most active and destructive ransomware variants in the world.”
“You couldn’t do that with just a group of 10 or 15 or even 20 people,” Liska said. “You need hundreds of affiliates to be able to get to that level.”
It’s believed LockBit has partners all around the world; its affiliates have been arrested in Asia, Europe, South America, and here in Canada.
While Liska praised the RCMP for their track record of arresting LockBit affiliates, Shipley said the government is still not taking cybercrime seriously enough, especially when compared to the United States.
“We’re a decade behind. And we can’t afford it. Because at the end of the day, you know who’s paying for our lapse in our security? Children with cancer. In Newfoundland, it was adults with cancer. … It is our most vulnerable Canadians,” Shipley said.
“If there’s anything that’s sacred across this country that we can all unite behind consistently, it’s universal access to health care. Well, guess what falls apart if your hospital is hacked?”
Frankly, a CEO who swears at hackers (however scarcely that may happen), is alright by Adaptive. Moving on…
Ransomware Group LockBit Apologizes
Let’s wrap up this shameful hacking topic with a short article by the CBC… “A global ransomware operator has issued a rare apology after it claims one of its “partners” was behind a cyberattack on Canada’s largest pediatric medical centre.
LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the most active and destructive in the world, posted a brief statement on what cybersecurity experts say is its data leak site claiming it has blocked its partner responsible for the attack on Toronto’s Hospital for Sick Children and offering the code to restore the system.
SickKids acknowledged Sunday it was aware of the statement and says it was consulting experts to “validate and assess the use of the decryptor,” adding it has not made a ransom payment.
The hospital has said last month’s attack delayed lab and imaging results, knocked out phone lines, and shut down the staff payroll system.
Hospital for Sick Children says it’s ‘aware’ of online statement offering free decryptor
It says 60 percent of its priority systems have since been brought back online and restoration efforts are “progressing well.”
Cybersecurity experts say even if SickKids decides to use a decryptor, they face the often lengthy and costly task of fully restoring the systems and potentially rebuilding their cybersecurity architecture to prevent another attack.
Cyber attacks on health organizations are a growing threat
The Canadian Centre for Cyber Security, under the national cryptologic agency the Communications Security Establishment (CSE), says it’s aware of reports regarding the cyber security incident at SickKids but can’t comment on specific incidents.
However, it highlighted cyber threats continue to remain a “persistent threat” to the Canadian government, non-government organizations, and critical infrastructure.
“Generally speaking, the Cyber Centre has noticed an increase in cyber threats during the COVID-19 pandemic, including the threat of ransomware attacks on the country’s front-line healthcare and medical research facilities,” said a statement from CSE spokesperson Evan Koronewski.
Koronewski says cybercriminals typically cast a “wide net” and don’t usually have specific targets, but some criminals have started to place more resources into zeroing in on “larger and more financially lucrative” targets that cannot tolerate disruptions and are likely willing to pay large ransom amounts to restore operations.
“CSE and the Cyber Centre continue to monitor for any developing cyber threats and share threat information with our partners and stakeholders to help prevent future incidents,” said Koronewski.
“We encourage Canadians and Canadian organizations to be aware of ransomware threats and be vigilant.”
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca