The LockBit ransomware operators have had a busy new year, with a notable attack on Britain’s Royal Mail that disrupted the postal service’s ability to send international letters and parcels: Royal Mail ransomware attackers threaten to publish stolen data. However, it seems that there are some targets LockBit feels should be off-limits.
When LockBit’s ransomware was used to target the SickKids Hospital in late December, LockBit took the unusual step of apologizing for the attack and providing a decryptor to the victims: Ransomware group LockBit apologizes saying ‘partner’ was behind SickKids attack.
LockBit is a Ransomware-as-a-Service (RaaS) provider. Part of what it does is to “rent” access to its malware to other hackers, in exchange for a percentage of any ransom they manage to extract from victims. This is a competitive environment, and hackers “appear to move between the operators frequently,” says Chester Wisniewski, a security researcher at Sophos. RaaS providers need a way to differentiate themselves from the competition, and it seems that LockBit is branding itself as … the ethical choice. Wait, what?
“LockBit’s apology … appears to be a way of managing its image,” Wisniewski said.
LockBit ransomware has been used in many previous successful attacks on hospitals, so it’s not that health care is off-limits. It seems, however, that LockBit thinks that some of their partners “might see the attack on a children’s hospital as a step too far.”
LockBit claims that the affiliate who was behind the attack on the SickKids Hospital has been blocked from doing any more business with LockBit. It’s fascinating that losing the potential revenue from this one affiliate appears to be less of a concern than the reaction of LockBit’s other customers. However tempting it might be to get misty-eyed about honor among thieves, remember that this is a rare event, and there’s no guarantee that it will ever be repeated. Everyone who isn’t a children’s hospital is still very much a target.