Wed | Jan 4, 2023 | 3:22 AM PST

In a surprising turn of events, the ransomware gang responsible for targeting Toronto's SickKids Hospital has apologized for the attack and offered a free decryptor to the hospital.

The LockBit gang encrypted the hospital's data and demanded a ransom for the decryptor, but the hospital refused to pay and instead worked to restore its systems from backups.

Despite the hospital being able to somewhat recover without paying the ransom, the cybercrime gang still made the unexpected move to apologize and provide a free decryption key. The only question is, why?

On December 18th, SickKids shared a statement, saying it discovered "a cybersecurity incident affecting several network systems," prompting the hospital to activate its incident management command center.

SickKids learned that the incident impacted only a few internal clinical and corporate systems, as well as some hospital phone lines and webpages. Eleven days later, the hospital shared another message:

"Almost 50 per cent of priority systems have been successfully restored following the cybersecurity incident and others are in progress."

It was then two days after this statement that LockBit decided to reverse course on the ransomware attack. Cybersecurity analyst and security researcher Dominic Alvieri shared this tweet: 

It is certainly rare to see a ransomware operation publicly apologize and offer to assist their victim in recovering, though the question still remains, why?

There's a few possible explanations for this scenario. 

In the gang's statement, they claimed that they did not realize the target was a children's hospital and that they would never have done so if they had known. Though, almost two weeks elapsed between the discovery of the attack and the release of the decryptor.

It is possible that the gang made this decision in an effort to repair their reputation and avoid negative publicity. Obviously, targeting hospitals and healthcare is morally questionable, and it's likely that an attack like this would catch the attention of some authorities.

It is also possible that they simply wanted to resolve the situation and move on. With nearly two weeks gone by, perhaps their ransom negotiations stalled and the gang wanted to find their next target.

This incident serves as a reminder to all organizations to avoid paying a ransom and that doing so does not guarantee your data will be returned.

[RELATED: Royal Ransomware Targeting U.S. Healthcare]

Follow SecureWorld News for more stories related to cybersecurity.