LockBit issues rare apology for Toronto SickKids ransomware attack
The December attack on the SickKids hospital disrupted services and caused delays for patients


The LockBit ransomware group has apologised for a December attack on one of Canada’s largest children’s hospitals.
The Toronto-based Hospital for Sick Children (SickKids) was hit with a ransomware attack on 18 December which saw systems taken offline and services disrupted.
However, in a rare turn of events, the gang issued an apology on 30 December and announced it had released a free decryptor for data seized in the attack.
Security researcher Dominic Alvieri first highlighted the apology in a Twitter thread over the weekend, noting that the affiliate responsible for the attack had breached the group’s rules.
“We formally apologise for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violates our rules, is blocked and is no longer in our affiliate programme,” LockBit said in its statement.
SickKids said it was aware of the apology and decryptor release. The organisation added that it was working closely with external security teams to establish the legitimacy of the decryptor.
“The Hospital for Sick Children (SickKids) is aware of the statement issued online by a ransomware group that included an offer of a free decryptor to restore systems impacted by the cyber security incident,” the hospital said.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“We have engaged our third-party experts to validate and assess the use of the decryptor.”
RELATED RESOURCE
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issue
The ransomware attack on 18 December caused significant disruption to operations at the SickKids hospital, affecting both internal and corporate systems, phone lines, and its official website.
As a result of the attack, the hospital revealed that patients had encountered delays in receiving lab results, which caused lengthy waiting times.
In an update on 29 December, the hospital confirmed that around 50% of its priority systems had been restored in the wake of the incident. However, SickKids warned that patients might still face lengthy waits as security experts worked to achieve a full restoration of services.
“While system restoration is occurring quicker than originally anticipated, we do not have a timeline for when all systems will be restored and the Code Grey will be lifted,” the hospital said.
“The hospital’s Information Management Technology (IMT) team as well as clinical and operational teams are manually testing and validating impacted systems before they can be fully operational.”
The apology from LockBit marks the second incident of its kind over the last two years. In May 2021, the Conti cyber crime group provided a free decryptor to Ireland’s Health Service Executive after an attack crippled operations.
This does represent a rare change in how LockBit operates, however. While the ransomware as a service (RaaS) group prevents attacks on medical institutions which may lead to patient deaths, it has frequently targeted hospitals and health trusts.
In August LockBit claimed responsibility for an attack on a French hospital. This particular incident saw the group demand a $10 million ransom to restore seized data.
After the health trust refused to pay, LockBit then leaked sensitive patient data online.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Enterprise networking - but without the therapy bills
Industry insights Historically the networking channel has been on focused on features, but we now need to shift emphasis to enablement...
-
Why is Meta still funding the metaverse?
Analysis VR hype seemed to evaporate as fast as it arrived. Has the money Meta has sunk into it folly, or part of a larger strategy that's yet to bear fruit?
-
Average ransom payment doubles in a single quarter
News Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new group
News The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victim
News In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackers
News Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransoms
News A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
News The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year