SickKids hospital ransomware attack

On 18 December 2022, The Hospital for Sick Children (SickKids) in Toronto — one of the largest and most respected pediatric hospitals in the world — was struck by a ransomware attack during the holiday period, disrupting clinical and corporate systems at a children's hospital and triggering an unusual sequence of events involving the LockBit ransomware cartel.

What happened

The attack impacted internal and corporate systems, hospital phone lines, and the SickKids website. The hospital activated a Code Grey — its designation for a system failure — and warned that the incident was causing delays in retrieving lab and imaging results and contributing to longer patient wait times. Critically, the attack encrypted only a limited number of systems, and SickKids emphasized that no patient transfers or operational shutdowns were required.

SickKids worked through the holidays to restore service, reporting roughly 50% of priority systems back online by 29 December and a near-complete recovery by mid-January 2023. The hospital stated it found no evidence that personal information of patients or staff had been compromised.

A rare apology from LockBit

The most notable feature of the incident was the response of the attacker. On 31 December 2022, the LockBit ransomware-as-a-service group posted a public statement apologizing for the attack and offering SickKids a free decryptor. LockBit claimed that one of its affiliates had violated the gang's stated rules prohibiting attacks on healthcare and other "critical" institutions, and that the offending partner had been blocked and expelled from its affiliate program.

SickKids acknowledged the apology and said it was analyzing the decryptor while continuing its own remediation. Security experts cautioned that such tools typically recover only about two-thirds of encrypted files and questioned whether LockBit's gesture was genuine remorse or a reputation-management and recruitment tactic — the group notoriously declined to extend the same courtesy to other victims.

Impact

Clinical delays in lab and imaging results and longer patient wait times over a multi-week period.
Disruption to phone systems and the public website.
No confirmed theft of patient or employee data.
A near-complete recovery within roughly four weeks.

Why it matters

The SickKids attack crystallized the debate over ransomware affiliates targeting hospitals and the hollowness of cybercriminal "ethics." It demonstrated both the real-world clinical risk of attacks on pediatric care and the chaotic accountability inside ransomware-as-a-service operations, where a central brand like LockBit could publicly disclaim an affiliate's actions yet bear ultimate responsibility for arming them. The episode became a frequently cited example in healthcare cybersecurity and in the international law-enforcement campaign that would dismantle LockBit's infrastructure in 2024.

Timeline

December 18, 2022

SickKids detects a ransomware attack affecting internal and corporate systems, phone lines, and its website.

December 19, 2022

The hospital declares a Code Grey (system failure) and reports delays in lab and imaging results.

December 29, 2022

SickKids says it has restored about half of its priority systems.

December 31, 2022

The LockBit gang apologizes, says an affiliate broke its rules by attacking a hospital, and offers a free decryptor.

January 1, 2023

SickKids confirms it is aware of the apology and is testing the decryptor while continuing its own restoration.

January 12, 2023

SickKids reports systems are back up and running, with no evidence of patient or employee data theft.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/ransomware-gang-apologizes-gives-sickkids-hospital-free-decryptor/

cbc.cahttps://www.cbc.ca/news/canada/toronto/sickkids-attack-1.6705843

globalnews.cahttps://globalnews.ca/news/9382632/ransomware-group-sickkids-attack/

healthcareitnews.comhttps://www.healthcareitnews.com/news/lockbit-ransomware-group-apologizes-childrens-hospital-cyberattack

theregister.comhttps://www.theregister.com/2023/01/04/lockbit_sickkids_ransomware/

Related incidents

RansomwareResolvedOctober 30, 2021

Newfoundland and Labrador health-system cyberattack

A Hive ransomware attack on Newfoundland and Labrador's health-care network crippled IT systems across the province, forcing the cancellation of thousands of appointments and procedures in what officials called the worst cyberattack in Canadian history.

Victim: Newfoundland and Labrador Centre for Health Information / Eastern Health

RansomwareRansom paidDecember 17, 2019

LifeLabs data breach

Canada's largest medical-testing laboratory disclosed that attackers had accessed health data on roughly 15 million customers, paid an undisclosed ransom to retrieve the stolen records, and was later found by privacy regulators to have failed to safeguard the information.

Victim: LifeLabs
Records: 15.0M

RansomwareContainedNovember 23, 2022

AIIMS Delhi ransomware

Ransomware encrypted the All India Institute of Medical Sciences in New Delhi — India's most prestigious public hospital — taking patient registration and clinical records offline for two weeks during peak winter patient load.

Victim: All India Institute of Medical Sciences (AIIMS) New Delhi
Loss: $15.0M

RansomwareContainedOctober 13, 2022

Medibank ransomware (REvil-affiliated)

Russian-speaking attackers exfiltrated full health-claim records on 9.7 million current and former Medibank customers, then released them in tranches on the dark web after the Australian insurer refused to pay.

Victim: Medibank Private
Loss: $250.0M
Records: 9.7M