The CEO was losing their patience.
Their company had been hacked, their data stolen, and they were now deep into a heated negotiation with a representative of the organization that was holding their files for ransom.
In a moment of frustration, the company CEO started swearing.
That, the negotiator informed them, was unacceptable.
“He said, ‘Sir, I’m sorry, I’ve been nothing but respectful to you. If you can’t be respectful to me, then we’re going to end this conversation,’” recalls Allan Liska, a cybersecurity expert who helps companies retrieve their assets and the author of the book Ransomware: Understand. Prevent. Recover.
“And I’m like, you’re a thief, you bastard. You don’t get to be indignant about somebody cussing at you.”
It’s a glimpse into the veneer of professionalism and civility practised in the world of ransomware — a milieu that was cast into the spotlight yet again this week amid an attack on the Hospital for Sick Children in Toronto.
Ransomware is when a hacker takes over a company or institution’s computer network, encrypts the files, then forces them to pay before they can regain control or access their own data.
The groups perpetrating them often describe the attacks as a service known as pen testing, or penetration testing, claiming they’re actually helping companies identify security vulnerabilities in their systems.
“When some of them release the key (the password needed to decrypt the stolen files) and victims pay, they’re like ‘Well, here’s how we got in. And here’s how we moved around. And here’s what we recommend you moving forward to protect yourself,’” Liska said.
It’s a lucrative business. In 2021, Canadian companies paid more than $600 million to recover their digital assets due to ransomware attacks, according to Statistics Canada, up from $400 million in 2019.
And that’s only the private sector; there have also been attacks on government, notably when hackers targeted Newfoundland and Labrador’s health-care system, froze the province’s online infrastructure and “accessed” patients’ personal information. The attack affected medical procedures.
Last week, SickKids was the victim of a cyber attack, before the shadowy organization LockBit took credit for its software being used … and apologized.
LockBit blamed the attack on a “partner.”
“We formally apologize for the attack on sikkids.ca (sic) and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program,” LockBit said on its website, which can only be accessed via the deep web.
Cybersecurity experts who spoke to the Star said it’s not the first time a children’s hospital has been the victim of a ransomware attack, but it’s the first time they’ve seen a group apologize for it.
In its most recent update, SickKids said it has restored more than 60 per cent of its priority systems and that restoration efforts were ongoing. It added that it has not made a ransomware payment and that there’s no evidence to date patients’ personal information has been compromised.
The hospital also said it was aware of a statement by the group about a free decryptor and was using third-party experts to evaluate it.
Through a contact listed on its website, a LockBit representative said it would answer questions from the Star but ultimately did not provide a written response before publication of this story.
It’s unclear why LockBit decided to apologize for the attack, or what rule the partner violated, but LockBit has something resembling a code of conduct on its website, including who and what is off limits.
LockBit makes no mention of children’s hospitals, but states that “critical infrastructure” — such as nuclear and hydroelectric power plants — are forbidden targets, as is the oil and gas industry.
It’s not that the organization suddenly grew a conscience out of its sympathy for sick children, contends Brett Callow, a threat analyst with anti-malware company Emsisoft, but more likely that it is simply mindful of the optics of attacking a children’s hospital.
“I wouldn’t say (they have) compassion at all. I would say business sense. … They could have simply have decided that this attack really wasn’t a good idea because it would make it harder for them to collect ransoms in the future,” Callow said. “Companies just aren’t going to want to be seen to be financing a group that attacks kids hospitals.”
It turns out that LockBit is a third-party provider. LockBit is the name of the software used to hack into security systems, as well as the group that contracts it out.
BlackBerry, which has transitioned from mobile devices to cybersecurity primarily, says the LockBit group describes itself as the “Robin Hood” of ransomware groups because it purportedly does not target health care, education, charitable or social service organizations.
LockBit’s business model involves the group offering its hacking software to “affiliates,” or partners, then taking 20 per cent of the proceeds when the hacker successfully gets its victim to pay a ransom.
Liska described it as “the most evil multilevel marketing plan that you’ve ever seen.”
Meanwhile, the partner is responsible for launching the attack, which can be something as simple as a false link in an email, known as phishing. Once they find an entry point, or backdoor, they will retrieve administrator credentials, encrypt the system’s data and steal files.
This allows LockBit to essentially sit back and let its partners do the dirty work.
“If you’re a ransomware operator, the people that make this software, they’re untouchable,” says David Shipley, CEO and co-founder of Beauceron Security.
“They’ve got HR teams, subcontractors, and contractors may not even know that they’re developing code (for hackers). … These are sophisticated operations,” he added.
The U.S. Department of Justice says LockBit’s software has been used against at least 1,000 victims in the United States and around the world.
In a post on a Russian-language cybercrime forum, an account named LockBitSupp explained there was a delay in discovering that one of its partners had attacked a children’s hospital.
According to the post, someone reached out to LockBit and called them “scoundrels” for the attack.
“I figured out the situation, punished the guilty and issued a decryptor. No one was hurt or died.”
LockBit also forbids its partners from attacking Russia and any post-Soviet countries, which it claims is because most of its developers and partners were born and grew up in the Soviet Union.
The company says it is based in the Netherlands, although Callow and Litka said it’s almost certainly based in Russia.
LockBit says it allows its partners to attack non-profit organizations and schools, and says it is “very commendable” to attack police stations and other law-enforcement agencies because they “do not appreciate our useful work.”
“It is allowed to very carefully and selectively attack medical related institutions such as pharmaceutical companies, dental clinics, plastic surgeries, especially those that change sex,” LockBit’s website states.
“It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like. … It is allowed to steal data from any medical facilities without encryption.”
Cybersecurity experts told the Star LockBit is among the “top tier” of ransomware groups. Their ransom demands have raked in at least $100 million to date, according to a November statement from the United States Department of Justice, detailing the arrest of a Russian-Canadian man affiliated with LockBit.
The release called LockBit’s software “one of the most active and destructive ransomware variants in the world.”
“You couldn’t do that with just a group of 10 or 15 or even 20 people,” Liska said. “You need hundreds of affiliates to be able to get to that level.”
It’s believed LockBit has partners all around the world; its affiliates have been arrested in Asia, Europe, South America and here in Canada.
While Liska praised the RCMP for their track record of arresting LockBit affiliates, Shipley said the government is still not taking cybercrime seriously enough, especially when compared to the United States.
“We’re a decade behind. And we can’t afford it. Because at the end of the day you know who’s paying for our lapse in our security? Children with cancer. In Newfoundland it was adults with cancer. … It is our most vulnerable Canadians,” Shipley said.
“If there’s anything that’s sacred across this country that we can all unite behind consistently, it’s universal access to health care. Well, guess what falls apart if your hospital is hacked?”