Skip links

LockBit shows no remorse for ransomware attack on children’s hospital

Ransomware gang LockBit is claiming responsibility for an attack on a Chicago children’s hospital in an apparent deviation from its previous policy of not targeting nonprofits.

Stooping to new lows, the criminals are reportedly unwilling to reverse the attack on Saint Anthony Hospital, as they had done in previous cases such as Toronto’s SickKids hospital.

What’s more, it apparently thinks a nonprofit hospital has the funds to pay a $800,000 ransom. Saint Anthony Hospital has not explicitly stated whether it will or won’t pay, but with a sum this large it’s highly unlikely that it would ever consider paying, let alone have the funds available to do so.

The deadline for payment has been set at 01:41 UTC on February 2. A $1,000 payment would extend the timer for 24 hours, and $800,000 is the price assigned to the data – that goes for both the destruction of it or the purchase of it by other parties.

Saint Anthony Hospital confirmed the attack via a statement published this week, saying files containing patient information had been copied by an unknown attacker. The hospital didn’t specify the nature of the stolen data but confirmed no medical or financial records were accessed.

LockBit’s intrusion began on December 18 but the hospital’s internal investigation didn’t conclude patient data was compromised until January 7. In the meantime, it said it took immediate action to secure its network and ensure patient care remained uninterrupted.

“Saint Anthony holds cybersecurity and the privacy of patient information in its care as top priorities,” it said [PDF]. “Our prompt response to this event allowed us to continue providing patient care without disruption.

“As part of Saint Anthony’s ongoing commitment to data privacy, we are working to review existing policies and procedures and implement additional ones as needed. Saint Anthony promptly reported this incident to the FBI and is cooperating with their investigation. We also reported this incident to appropriate regulators, including the US Department of Health and Human Services.”

As the review of the incident progresses, the hospital said it would notify those it believes are impacted by the data theft. Until then, all patients are advised to remain vigilant to identity or financial fraud attempts and sign up for a free year of credit monitoring.

LockBit had in some previous cases shown a degree of restraint when targeting the likes of hospitals and other nonprofits, yet appears to be loosening the shackles on its affiliates, allowing them to target any organization they’re able to breach.

In response to an affiliate that attacked Toronto’s SickKids hospital last year, LockBit formally apologized, issued a free decryptor, and supposedly booted that affiliate out of its program for violating the rules.

In a post to its leak blog this week, LockBit said: “Always US hospitals put their greedy interest over those of their patients and clients.”

We’ve been unable to get in touch with the spokesperson for the gang to ask about the attack and shift in approach, but the malware collectors at vx-underground were under the impression that LockBit was either ignorant to the fact Saint Anthony was a nonprofit, or simply didn’t care.

Asked about the reasons for the attack, the gang reportedly responded by sending the hospital’s financial disclosures, suggesting it either thought it was indeed a corporate entity or confused the meaning of “nonprofit” for an organization that generates zero revenue.

Saint Anthony’s website clearly states that it’s “an independent, nonprofit, faith-based, acute care, community hospital.” So the decision to press ahead with the attack appears to be nothing more than a senseless money grab.

“If you attempt to educate and present information to LockBit administrative staff on nonprofit institution laws in the United States they will state the organization is corrupt and they will imply (directly or indirectly) it is a money laundering operation and the facility is dirty and deserves to be ransomed,” said vx-underground.

“In summary: the rules are a facade.”

Similar ignorance was demonstrated by LockBit leadership in attacks on the education sector, flippantly responding by saying: “If they have money for computers, they have money to pay me.”

Jake Moore, global cybersecurity advisor at ESET, said that cybercriminals will always pursue attacks that align with their business goals.

“Although ransomware gangs may have chosen to avoid organizations such as hospitals and not-for-profits in the past, business is business and criminal goals are no different.

“The evolution of cybersecurity over the last decade has proved that criminal gangs have also had to pivot in terms of how they attack and financially conquer. Ransomware has become a different beast where data has become even more of the focal point in the way it has become a weapon of extortion rather than just relying on an encryption attack followed by ransom demands.

“No one remains safe from these attacks whether they are targeted or caught up in larger campaigns. Companies should never believe they are foolproof due to the nature of their business, nor should they reduce the best possible protection they have to offer.” ®