Surprisingly, on the evening of 31 December, stained by Dominic Alvieri: LockBit 3.0 has released a decryption tool for Canadian Children’s Hospital SickKids systems. And go so far as to apologize for this cyber attack by indicating that he separated himself from the person who conducted it. But now, this decision looks much more like a communication gimmick than a show of true leniency. Because its potential impact on the resumption of normal hospital activity is unlikely to be significant.
The outbreak of the ransomware and the discovery of the cyber attack happened on December 18th. When the LockBit 3.0 franchise operators kindly provide the decryption tool on December 31st, almost two weeks have already passed.
Meanwhile, the SickKids teams have not sat idly by waiting for a possible show of goodwill from cybercriminals: on December 29, the hospital noticed having already managed to reset and reboot “nearly 50% of priority systems”. Probably a virtualized environment: the decryption tool provided by LockBit 3.0 carrier only works for VMware ESXi hosts; no decryption tool has been provided for Windows systems.
Cautious, SickKids does not ignore the tool offered by cybercriminals, but ” to evaluate the appropriateness of its use since “restoration efforts are progressing well”. The approach seems all the more judicious as ransomware decryption tools are generally home-made and ultimately do little to speed up the information system’s recovery.
In short, the operators of LockBit 3.0 provided the decryption tool to the hospital when the latter no longer really needed it and had obviously decided not to give in to the blackmail. What to try to take advantage of a bankruptcy to save his sympathy capital in the absence of his bitcoin accounts.
Perhaps to try to make people forget the cyber attack against the Center Hospitalier Sud-Francilien, at the end of last August, during which both the franchise operators and the entrusted officers involved took good care not to show the slightest sympathy.
