Why it matters: LockBit is a "ransomware-as-a-service" operation where the malware creators and operators manage the backend, while affiliated "partners" breach victims' networks. Sometimes, this chain of operations can lead to a clash between parties - especially when the affiliates go against the ransomware's formal business policy.

It's been a busy end of year for LockBit, the infamous ransomware operation offering its encryption capabilities to script kiddies and other interested partners in crime. The ransomware was first responsible for an attack against the Port of Lisbon Administration, which manages Portugal's third-largest port and one of the most accessed ports in Europe.

The Port of Lisbon was targeted by LockBit on December 25, but according to the port's administration, no operational activity was compromised. All the security measures designed as a response to this type of occurrence were quickly activated, the organization said, while it was working with the competent authorities to restore the affected systems.

As a matter of fact, the Port of Lisbon's official website is still offline, and LockBit has already published a ransom note on their official site within the Tor darknet. The cyber-criminals are asking for a hefty price ($1,500,000) to be paid by January 18, 2023, otherwise they will publish all the data they were able to steal from the port's servers.

The LockBit gang says they got their hands on financial reports, audits, budgets, contracts, cargo information, ship logs, documentation, email messages and other valuable business or personal data. That's totally fine to encrypt, steal and sell to interested parties, because Port of Lisbon is not a children's hospital like the second outstanding victim LockBit collected at the end of 2022.

On December 18, one of LockBit's affiliates attacked the Hospital for Sick Children (SickKids), a Canadian teaching hospital devoted to child healthcare. The attack impacted internal and corporate systems, phone lines, and the hospital website. While just "a few" systems were compromised, patients had to deal with delays in exam results and longer wait times.

According to a later update, the SickKids team was able to restore almost 50% of the hospital's priority systems while others were still in progress. However, on new year's eve, the LockBit gang posted a note to "formally apologize" for the attack against the Canadian hospital. "The partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," the cyber-criminals said.

LockBit gave SickKids a free decryptor to restore the encrypted data, even though the hospital was already in the process of restoring all the systems by itself. According to LockBit's policy, affiliates of the ransomware operation have no permission to attack medical institutions to avoid accidental deaths. Stealing data is still allowed, however.