Lessons Learned From The SickKids Hospital Breach: What Went Wrong and How to Prevent It

On December 18, 2022, The Hospital for Sick Children (SickKids), located in Toronto, Canada, was the target of a ransomware incident carried out by the notorious LockBit cybercriminal organization. This dangerous attack disrupted vital hospital functions, leading to delays in obtaining laboratory and imaging results and affecting essential internal networks, telephone systems, and the hospital's website.

This article will examine the SickKids breach, identify the identity security shortcomings that were likely exploited, and offer recommendations for preventing future attacks.

LockBit Ransomware: How it Works

According to Microsoft's 2024 Digital Defense Report, LockBit is widely recognized as one of the most prolific and damaging ransomware operations globally, operating under a Ransomware-as-a-Service (RaaS) distribution model. Lockbit develops and licenses ransomware software within this framework to external entities conducting the actual attacks. The group then receives a portion of any ill-gotten gains. This approach effectively democratizes ransomware, making it readily accessible to a broad spectrum of cybercriminals, even those with limited technical skills.

LockBit's ransomware tools have enabled a significant number of high-profile cyberattacks, including incidents targeting government agencies in Ontario and Quebec, Canada. These ransomware attacks generally follow a pattern of six distinct phases:

Analyzing the SickKids Cyberattack: How Did it Happen?

While the precise method the attacker used to infiltrate SickKids' systems has not been disclosed, the organization had several potential vulnerabilities in its identity management practices that could have paved the way for the attackers:

• Stolen User Logins: It's possible that cybercriminals acquired legitimate login details of a SickKids staff member with significant system access. This could have been achieved through deceptive tactics like phishing, social engineering manipulations, or credential-stuffing attacks.
• Exploitable Weak Passwords: Inadequate or factory-default passwords protecting critical systems or user accounts may have presented an easy avenue for initial unauthorized entry.
• Multi-Factor Authentication (MFA) Gaps: If MFA was not consistently applied across all vital systems and accounts, it would have significantly simplified unauthorized access, even if the attacker possessed compromised usernames and passwords.
• Unremediated Software Flaws: Software or systems related to identity and access administration might have contained unpatched security vulnerabilities, which the attackers could have leveraged. In fact, a vulnerability was discovered months prior to the attack, which may have been exploited.

Post-Incident Review: Lessons Learned

In the aftermath of the mid-December attack, SickKids acted quickly to secure their compromised network, restore operational capabilities, and thoroughly investigate the incident. The hospital activated its established incident response protocols, brought in external cybersecurity experts to assist, and fully cooperated with law enforcement agencies to manage and resolve the crisis. 

Despite this rapid response, it was still several weeks before they could get most of their systems back online. On January 1, 2023, LockBit issued an apology, claiming that the attack was undertaken by an affiliate who went against their guidelines and provided the institution with a decryption key. Four days later, SickKids reported restoration of 80% of their most critical systems, and lifted their internal "Code Grey" emergency status.

While unexpected, this incident offered several lessons we can learn from:

An Ounce of Prevention > A Pound of Cure

So, how can these lessons help you avoid a devastating ransomware infection? Organizations should prioritize implementing the following preventative measures to fortify their identity security framework and reduce their susceptibility to comparable attacks:

Implement Strong Identity and Access Management (IAM) Measures

• Mandate strong, unique passwords for all user accounts and activate Multi-Factor Authentication across all critical systems and applications, including VPNs, email, and cloud services.
• Periodically assess and maintain user access rights, ensuring individuals possess only the minimum necessary privileges to perform their job functions. Promptly revoke access for departing employees and contractors.
• Consider adopting a holistic Identity and Access Management (IAM) solution to effectively manage user identities, enforce access controls, and monitor user activity for suspicious patterns.

Proactively Address Security Flaws (Vulnerability Management)

• Develop a robust vulnerability management program, incorporating regular vulnerability scanning and penetration testing, to rapidly identify and remediate security weaknesses.
• Repair and maintain systems with regular patching, secure configuration, and monitoring for vulnerabilities and unusual activity.

Adopt a Defense-in-Depth Cybersecurity Strategy (Comprehensive Cybersecurity Solutions)

• Implement a Zero-Trust security model where every access request is verified, regardless of its origin (internal or external network). This model operates on the principle of "never trust, always verify" for all users and devices at every access point.
• Deploy Endpoint Detection and Response (EDR) solutions to observe endpoint behavior, detect malicious actions, and enable real-time threat response, adding a critical layer of endpoint security.
• Establish secure remote access solutions like VPNs with strong authentication methods and encryption. Implement access controls to restrict remote access to authorized users and devices only, securing a key perimeter.
• Provide employee education on common cyber threats, such as phishing and social engineering tactics. A well-trained workforce forms a crucial human layer in your defense-in-depth strategy.

Maintain a Well-Defined and Tested Incident Response Plan (Incident Response Planning)

• Roll out a thorough incident response plan detailing the steps to be taken in a cyberattack. Conduct regular exercises to validate the plan's effectiveness, ensuring readiness for potential incidents.
• Develop a strong data backup strategy, incorporating offline backups. Robust backups are a fundamental component of incident response, guaranteeing data recovery and business continuity after an attack.

Applying What We've Learned

The SickKids ransomware incident is a stark reminder that no organization, regardless of its size or mission, is immune to cyberattacks. While the hospital's rapid response and eventual recovery showcased resilience, they faced significant disruptions impacting patient care. 

A reactive approach is simply insufficient in a world where sophisticated ransomware like LockBit is readily available. Organizations must embrace a defense-in-depth strategy, prioritizing robust identity and access management, proactive vulnerability management, and comprehensive employee training. To learn more about how to defend against ransomware attacks effectively, contact KeyData Cyber today for a comprehensive workshop.