The LockBit ransomware group has apologised for a December attack on one of Canada’s largest children’s hospitals.
The Toronto-based Hospital for Sick Children (SickKids) was hit with a ransomware attack on 18 December which saw systems taken offline and services disrupted.
However, in a rare turn of events, the gang issued an apology on 30 December and announced it had released a free decryptor for data seized in the attack.
Security researcher Dominic Alvieri first highlighted the apology in a Twitter thread over the weekend, noting that the affiliate responsible for the attack had breached the group’s rules.
“We formally apologise for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violates our rules, is blocked and is no longer in our affiliate programme,” LockBit said in its statement.
SickKids said it was aware of the apology and decryptor release. The organisation added that it was working closely with external security teams to establish the legitimacy of the decryptor.
“The Hospital for Sick Children (SickKids) is aware of the statement issued online by a ransomware group that included an offer of a free decryptor to restore systems impacted by the cyber security incident,” the hospital said.
“We have engaged our third-party experts to validate and assess the use of the decryptor.”
RELATED RESOURCE
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issue
The ransomware attack on 18 December caused significant disruption to operations at the SickKids hospital, affecting both internal and corporate systems, phone lines, and its official website.
As a result of the attack, the hospital revealed that patients had encountered delays in receiving lab results, which caused lengthy waiting times.
In an update on 29 December, the hospital confirmed that around 50% of its priority systems had been restored in the wake of the incident. However, SickKids warned that patients might still face lengthy waits as security experts worked to achieve a full restoration of services.
“While system restoration is occurring quicker than originally anticipated, we do not have a timeline for when all systems will be restored and the Code Grey will be lifted,” the hospital said.
“The hospital’s Information Management Technology (IMT) team as well as clinical and operational teams are manually testing and validating impacted systems before they can be fully operational.”
The apology from LockBit marks the second incident of its kind over the last two years. In May 2021, the Conti cyber crime group provided a free decryptor to Ireland’s Health Service Executive after an attack crippled operations.
This does represent a rare change in how LockBit operates, however. While the ransomware as a service (RaaS) group prevents attacks on medical institutions which may lead to patient deaths, it has frequently targeted hospitals and health trusts.
In August LockBit claimed responsibility for an attack on a French hospital. This particular incident saw the group demand a $10 million ransom to restore seized data.
After the health trust refused to pay, LockBit then leaked sensitive patient data online.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
