Skip to Content

LockBit Ransomware Gang Gives Decryptor to Toronto Children’s Hospital

Updated on 2023-01-05: SickKids ransomware attack

The LockBit ransomware gang has apologized for its attack on the Sick Kids Hospital chain and released a free decrypter to help the victim recover files without paying.

LockBit ransomware gang has apologized for its attack on the Sick Kids Hospital chain.

Updated on 2023-01-02

LockBit apologized for the attack on SickKids, Canada, and released a free decryptor for the hospital. It claimed to have blocked the affiliate responsible for the attack.

We formally apologize for the attack on and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.

Updated on 2023-01-01: LockBit Ransomware Gang Gives Decryptor to Toronto Children’s Hospital

Operators of LockBit ransomware have given Toronto’s Hospital for Sick Children a free decryptor after the facility became the victim of a ransomware attack in mid-December. The cyber incident resulted in delayed lab and imaging results and longer wait times for patients. LockBit operates as ransomware-as-a-service.


  • The attack violated LockBit’s code of ethics, and they removed the affiliate who executed the attack from their network. But they still took long enough to release the decryptor that the hospital was able to restore over 50% of systems to operational status. The motivation here is likely to paint a positive picture to influence future victims to trust them and pay their fees.
  • While this is good news and shows that even criminal elements have a code a conduct, the fact remains that the IT enterprise had not implemented basic cyber hygiene practices. The recently published ‘Blueprint for Ransomware Defense’ can serve as an action plan for ransomware mitigation, response, and recovery to protect against future attacks.
  • Let’s not let this story cloud our judgement about the criminal intent and damage ransomware operators cause. Even with the decryption key, the hospital will still need to keep systems offline until they can be sure those systems are not compromised in any way. Getting the decryptor key does not magically reverse the damage and disruption caused by ransomware attacks.
  • LockBit gets little credit for this in my book. I can count; by my reckoning healthcare remains the favorite target for extortion attacks. This is only in part because it is a soft target. In part it is because we will pay to restore care to sick kids.

Updated on 2022-12-29

Approximately 50% of priority systems have been successfully recovered after the cybersecurity incident, and the remaining systems are in the process of restoration. Read more: Many SickKids systems restored following cybersecurity incident

Updated on 2022-12-28: Toronto Children’s Hospital Ransomware Attack

An apparent ransomware attack affecting the network of the Toronto (Canada) Hospital for Sick Children has caused delays in its treatment and diagnostic services. The attack occurred on December 19. According to the most recent update (December 23), the hospital said that it “anticipates it could still be weeks until all affected systems are completely online.”


  • So you restored priority services, and you’re down to the supporting systems, do you take a break and send home the “tiger team” or do you keep moving until you’re back at 100%? This needs to be part of your planning. Yes, that concentrated team of experts is costing you, but your business impact may be more. Be prepared for unexpected interdependencies, as well as unexpected systems which are operating. Review and testing of the BC/DR plan to make sure as much as possible is well known becomes so important.
  • Another week, another ransomware attack. In recent NewsBites we’ve discussed that the global Healthcare sector is a specific target of cyber criminals. Organizations that make up that critical infrastructure sector can’t say they haven’t been warned. In this case, why weren’t the ample warnings that the sector is being targeted enough for the security team to revisit cyber defense plans and validate their security posture against ransomware attack.
  • Hospitals continue to be the target of choice for extortion attacks. It is urgent that they isolate patient facing applications from public network-facing applications and use end-to-end application layer encryption for any applications that do both.


Updated on 2022-12-27

SickKids aka Hospital for Sick Children, Toronto, revealed its struggle to restore systems impacted by a ransomware attack. To date, there is no evidence that individuals’ PHI was impacted. Read more: Update on SickKids response to cybersecurity incident


The Hospital for Sick Children, Toronto, suffered a cybersecurity incident that affected its web pages, clinical systems, and phone lines. Read more: SickKids responding to cybersecurity incident

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on