Last month, a school district in Illinois was targeted in a ransomware attack that held its systems hostage. The criminals threatened to release the information on the dark web if it didn’t receive payment within a week.
So far, there is nothing spectacular about this story. It’s standard operating procedure for ransomware gangs, who break into organisations, encrypt their data and demand payment – typically in bitcoin – in exchange for a decryption key.
There are hundreds of these incidents each year, with the ransomware industry reportedly worth more than £363 million in 2022.
Schools are among the most frequently targeted, so the attack on Olympia CUSD (Community United School District) would ordinarily be nothing more than a footnote in a ledger filled with countless cyber attacks.
However, things took an unexpected turn after LockBit, the group that created the ransomware strain used in the attack, abruptly apologised for last week’s attack and promised to decrypt the organisation’s data.
In a statement on its website, a LockBit administrator wrote:
Please forgive me for allowing the attack on small innocent children, the stolen data has been deleted, to get the decryptor please give me the decryption id. I am very ashamed, but I can not control all partners, anyone can join my affiliate program as well as break the rules, I have blocked this partner.
As a ransomware-as-a-service provider, LockBit allows affiliates to use its malware and infrastructure to carry out attacks in return for a cut of any ransom payment received.
The group’s sprawling nature means it’s almost impossible for a single person to regulate its attacks.
In this instance, it appears as though the attack breached LockBit’s code of conduct, with the group’s figureheads unhappy with their crooks’ choice of target.
Shame and forgiveness
In the days since LockBit’s administrator made their statement, there has been much discussion of what it all means. Cyber security researcher Graham Cluley asked, “is it possible ransomware gangs actually do have a heart?”, while some online commenters were more sceptical.
Nonetheless, the consensus is that this is a good news story. Ransomware gangs are often dehumanised, perhaps rightly, for their ruthless and irresponsible behaviour. Their attacks cripple individuals and organisations, and in extreme circumstances, they can bankrupt victims and put their employees out of work.
To hear a cyber criminal say that they are “ashamed” of an attack and ask for forgiveness will, for some, be a breath of fresh air.
As Cluley writes: “I don’t believe that empathy and human decency is something that is commonly encountered inside ransomware gangs, as they have spent years profiting from the misery and hardship of others.
“But I am pleased, on this occasion at least, that LockBit appears to have thought again and lessened the pain of the school district, its staff, and pupils.”
The end of ransomware?
For all the good vibes surrounding this story, there remains an unavoidable question: why apologise now? This attack was no more severe or damaging than the countless others that cyber criminals – particularly those using the LockBit ransomware strain – have conducted.
A Trend Micro report found that the malware was detected at more than 300 schools in a six-month period between 2021 and 2022.
More recently, the Texas Department of Information Resources released a statement addressing “a significant increase in ransomware attacks against school districts […] associated with a ransomware variant called LockBit 3.0”.
Meanwhile, within the past few months LockBit has been used in attacks on Pinewood Schools in New Jersey, the White Settlement Independent School District in Texas, Matrix International Schools in Malaysia and the Kortrijkse Rijschool in Belgium.
Do these facilities not also affect “small innocent children”?
If criminal hackers have decided that attacks in which innocent people are harmed are no longer acceptable, then that’s the end of ransomware. There is no cyber attack in which innocent bystanders are not affected.
Although we agree that the LockBit gang’s decision to call off the dogs on this occasion is a positive development, one has to wonder if it’s not operating under a double standard, or if there was another, more specific reason for its decision.
The incident recalls hackers’ vow to not target healthcare firms during the peak of the pandemic, a promise that lasted until a woman died after being turned away from a hospital that was under attack from ransomware.
We will wait in hope that ransomware gangs had a heart along, but we suggest that organisations in all sectors, and schools especially, do not take this story as an indication that they will no longer be in the firing line.