[Security Weekly] SickKids Hospital Hit by LockBit Ransomware, Receives Decryptor Two Weeks Later

sickkids hospital

January 2023, Issue I


1. SickKids hospital hit by LockBit ransomware, receives decryptor two weeks later

The Hospital for Sick Children (SickKids), frequently ranked as one of the best pediatric hospitals in the world, suffered an attack by the LockBit ransomware group that impacted its operations for two weeks during the holiday season.

The Toronto-based teaching hospital was attacked by an affiliate of LockBit on December 18, affecting its website, phone lines, and some clinical and corporate systems. Although medical equipment and services remained functional, patients experienced delays in receiving test results, causing longer than usual waiting times.

On New Year’s Eve, LockBit made an official apology and gave its decryptor to the hospital, blaming the affiliate responsible for the attack for violating the group’s policy on not targeting healthcare organizations. LockBit claimed that the affiliate has now been blocked from its RaaS program.

However, experts suggest that the more likely reason LockBit returned its decryptor is due to the widespread media coverage and pressure from law enforcement, which explains why it took two weeks before it offered the decryptor. The group in fact has a history of attacking hospitals in the past. 

LockBit is currently one of the most active RaaS operations in the world.

Sources: Infosecurity, Global News, CBC


2. Google Ads platform abused by hackers to spread malware via fake landing pages

More and more threat actors are now using Google Search Ads to spread malware to victims who search for popular software products, according to a public service announcement issued by the FBI.

These threat actors create a fake landing page for a legitimate software product. Since Google’s promoted results tend to appear above the official product website, many users end up clicking into the landing page. Some of the fake landing pages spotted included those for Grammarly, Audacity, Slack, MSI Afterburner, OBS, Ring, AnyDesk, and more.

Although Google Ads’ policy enforcers crawl all landing pages for malicious content before approving them to run, these threat actors are able to bypass this security measure by creating both a benign and a malicious landing page. They would then register the benign landing page on the Google Ads platform. Once a user enters the benign landing page through the Google Ads link, they will be redirected by the server to the malicious landing page. Once the user clicks on the download button on the malicious landing page, a trojanized version of the software will be downloaded. However, bots and crawlers landing on the benign landing page directly will not be redirected, which is why Google is not able to detect any problem.

Users are advised to double-check domain names before interacting with an ad landing page, as most fake landing pages contain misspelled or alternative domain names that are different from the legitimate domain.

Sources: FBI, Bleeping Computer


3. Port of Lisbon attacked by LockBit ransomware

Port of Lisbon, officially the Port of Lisbon Administration (APL), suffered an attack launched by the LockBit ransomware gang on Christmas day. The port is the busiest in Portugal and one of the most accessed in Europe, serving both container and cruise ships.

APL immediately disclosed the attack on December 26, stating that its operations were not impacted, and that countermeasures were activated. However, the company’s website remained unavailable for days after the attack.

The LockBit ransomware gang soon added APL to its leak site on December 29, claiming that it had stolen financial and audit reports, contracts, ship logs, cargo information, and the personal information of crew members and customers. The gang demanded a ransom of $1.5 million, and threatened to release all files if demands are not met by January 18. Surprisingly, LockBit also offered to sell all the data exclusively to anyone who is interested at the same price.

Due to supply insufficiencies caused by the pandemic and the ongoing war, cyberattacks on the logistics industry have been on the rise. Throughout 2022, several ports in Europe have been infected with ransomware, leading to operation disruptions and shipment delays.

Sources: Bleeping Computer, GovInfoSecurity


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security