The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the center of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries.
CHSF serves an area of 600,000 inhabitants, so any disruption in its operations can endanger the health, and even lives, of people in a medical emergency.
“This attack on the computer network makes the hospital’s business software, the storage systems (in particular medical imaging), and the information system relating to patient admissions inaccessible for the time being,” explains CHSF’s announcement (translated).
The hospital’s administration has not provided further updates on the situation, and the IT system outage that enforced reduced operations still plagues the establishment.
Those in need of emergency care will be evaluated by CHSF’s doctors, and if their condition requires medical imaging for treatment, they will be transferred to another medical center.
According to Le Monde, which has info from the country’s law enforcement agencies, the ransomware actors that hit CHSF demanded the payment of a ransom of $10,000,000 in exchange for a decryption key.
“An investigation for intrusion into the computer system and for attempted extortion in an organized gang has been opened to the cybercrime section of the Paris prosecutor’s office,” a police source told Le Monde, also specifying that “the investigations were entrusted to the gendarmes of the Center fight against digital crime (C3N)”.
The LockBit 3.0 hypothesis
French cybersecurity journalist Valéry Riess-Marchive identified signs of a LockBit 3.0 infection, mentioning that the handling by the national gendarmerie is a clue pointing to that direction, as that service deals with Rangar Locker and LockBit attacks.
As Riess-Marchive explains at LegMagIT, Ragnar Locker is unlikely to be behind the attack due to a different focus on the economic size of its victims, whereas LockBit 3.0 demonstrates a broader targeting scope.
If LockBit 3.0 is responsible for the attack on CHSF, it will violate the RaaS program’s rules, which prohibit affiliates from encrypting systems of healthcare providers.
At this time, the attribution to the particular threat group hasn’t been confirmed yet, and LockBit 3.0’s extortion site contains no entry for CHSF yet, so their involvement remains a hypothesis.