Despite crackdown, LockBit cyberattacks on hospitals may continue

Despite a recent high-profile multilateral crackdown, attacks on hospitals and nonprofits under the name of ransomware syndicate LockBit are expected to continue, industry experts told The Asahi Shimbun.

Law enforcement agencies from 10 countries, including the FBI, Britain’s National Crime Agency and Japan’s National Police Agency, arrested two key LockBit members in Poland and Ukraine in February through a joint investigation dubbed Operation Cronos.

LockBit’s official website now displays the message, “The site is now under control of law enforcement,” accompanied by emblems of the agencies involved, including Europol.

“I believe this is a crucial blow to their organization and reputation,” said a founding member of “vx-underground” (VXUG), an international group of cybersecurity experts that has been calling on LockBit to stop ransomware attacks on hospitals and nonprofits.

But the member, who goes by the name of Smelly, said he does not believe the attacks will cease.

“They will be back in days, weeks or months. It is only a matter of time.”

Key LockBit members have a poor grip on outside collaborators known as “affiliates,” who conduct ransomware attacks for remunerations, according to experts.

A cybersecurity company employee in his 20s who is a VXUG member contacted a senior LockBit member through a chat in January 2022, about three months after LockBit destroyed electronic medical records at Handa Hospital in Tsurugi, Tokushima Prefecture.

The LockBit member blamed an affiliate for arbitrarily attacking the hospital, adding that there are more than 100 such outside collaborators, according to the Japanese white hacker.

“idk (I don’t know) about it,” the message said about the attack on Handa Hospital. “We not attack hospitals, only businesses.”

LockBit sent a program to restore broken medical records at Handa Hospital for free.

Experts found that the program, named “lovejapan,” functioned correctly, but the hospital had already repaired the records on its own two weeks earlier and had restarted seeing patients.

The LockBit member in the chat also noted that the cybercrime syndicate would not attack hospitals in the future.

However, LockBit then attacked the Hospital for Sick Kids, a leading pediatric institution in Toronto, in December 2022.

In a statement released about two weeks later, the syndicate apologized and offered to provide a restoration program for free.

It appeared that key LockBit members had not realized the attack had occurred until VXUG contacted the organization, according to sources.

Smelly said LockBit claimed it had a rule that forbids attacks on healthcare facilities and nonprofit institutions.

However, 67 medical institutions were attacked by LockBit in 2023 alone, according to U.S. cybersecurity company Recorded Future.

“We tried to prevent ransomware attacks, but we have never had success,” said Smelly, who called LockBit’s rule “a facade.”

Smelly has been in touch with a self-professed LockBit administrator since the end of 2019, the year when the group started its activities.

He described Lockbit administrators as “career criminals and master extortionists.”

“They are unimaginably greedy, cruel and heartless and are indifferent (to) the harm they cause (to) people and organizations,” he said.

In a statement released a few days after the crackdown, the LockBit administrator said, “I’m sure (the FBI) can’t catch me, looking at the way they work.”

The individual launched multiple “official” websites and listed organizations that have been newly attacked.

VXUG also confirmed seven related sites on the dark web. The Asahi Shimbun