French hospital Center Hospitalier Sud Francilien (CHSF) suffered a cyber attack that disrupted operations forcing the facility to postpone appointments and refer patients elsewhere.
The suspected LockBit 3.0 ransomware attack rendered the facility’s “business software, storage systems, including medical imaging, and information system relating to patient admissions inaccessible” from August 21.
Subsequently, the French media outlet Le Monde quoted a security agency saying that the threat actor had demanded $10 million for the decryption key.
The Corbeil-Essonnes-based, 1,000-bed capacity facility serves the greater Paris area with over 600,000 residents. Thus, such a ransomware attack puts many human lives at risk.
“Any business that is a victim of a ransomware attack is a bad thing,” said Jelle Wieringa, Security Awareness Advocate at KnowBe4, “But in the case where human lives are at stake, it can become disastrous very quickly. Attacks on hospitals show that ransomware gangs only care about one thing, getting paid.”
French hospital resorts to manual system after a ransomware attack
The French hospital stated that inpatient vital emergency services remained operational, although patients requiring access to the technical platform would be referred to other regional public facilities. Additionally, the hospital admitted that the ransomware attack significantly impacted some areas, such as the operating room, which depends on the technical platform.
CHSF also instituted necessary measures to ensure admitted patients continued to receive medical care. Any adversely affected patients would be informed of any changes in patient care routine and possibly transferred to other regional hospitals.
However, the French Hospital disclosed that the ransomware attack did not affect the facility’s security, and all networks remained operational with a few exceptions.
“This attack does not impact the operation and security of the hospital building. All networks remain in operation (telephone except fax, automated distribution flows, etc.),” the statement read.
France24 reported that staff at the French hospital had resorted to manual systems for prescriptions and filing patient information. CHSF says that the reliance on manual systems had introduced longer wait times, urging patients with medical emergencies to seek assistance elsewhere.
The French hospital notified local law enforcement agencies and the National Information Systems Security Agency (ANSSI), which commenced an investigation for potential criminal cyber extortion.
Increased ransomware attacks on healthcare organizations
Attacks on French hospitals have increased by 70% since 2020, with 2021 recording 380 cyber security incidents, according to the French international media station.
“This incident comes after an increase in ransomware attacks on French hospitals during the pandemic and again in February 2021 (Dax-Côte d’Argent hospital) and in April 2022 (GHT Cœur Grand Est hospital),” noted Sally Vincent, Senior Threat Research Engineer at LogRhythm.
Similarly, cybersecurity firm Sophos reported that ransomware attacks on healthcare organizations doubled between 2020 and 2021. Healthcare organizations are more likely to pay a ransom than other businesses despite the slim chances of recovering all data.
However, the director of CHSF had reportedly ruled out any possibility of paying the outrageous ransom.
LockBit 3.0 ransomware breaks its promise?
Security experts attributed the French hospital ransomware attack to LockBit 3.0 despite the ransomware gang promising not to target healthcare organizations.
LockBit has not taken responsibility for the ransomware attack. However, an affiliate of the ransomware-as-a-service (RaaS) operation could be responsible for the attack.
“The LockBit group has a strong RaaS program, and their ransomware is very widely used,” Vincent said, “If the attacker was using LockBit ransomware, it violates LockBit’s RaaS terms of service to attack a healthcare provider, and it will be interesting to see if LockBit publicly responds to this attack.”
Potentially LockBit ransomware could also be responsible for the attack since criminals rarely keep their promises. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, said the attack demonstrated that ransomware gangs do not respect ethical boundaries and can trigger life and death situations to get paid.
The ransomware gang also claimed to be apolitical. However, it has conveniently avoided attacking Russia, China, and other U.S. geopolitical rivals in the East.
CHSF has not released more information about the attack, including initial access vectors. However, the French website LeMagIT reported that the threat actor likely leveraged a support account of a third-party vendor, Corilus, to compromise the healthcare organization.