The attack forced the hospital to send its patients to other facilities.
The Center Hospitalier Sud Francilien (CHSF) suffered a cyberattack on August 21, according to a report in BleepingComputer. The 1000-bed hospital near Paris was forced to refer patients to other establishments and postpone appointments for surgeries.
CHSF serves an area of 600,000 inhabitants, so any disruption in its operations can endanger the health, and even lives, of people in a medical emergency. The CHSF issued an announcement concerning the attack. “This attack on the computer network makes the hospital’s business software, the storage systems (in particular medical imaging), and the information system relating to patient admissions inaccessible for the time being”, the post reads.
The announcement was written in French. All relevant quotes in this article were translated from French to English. “In the emergency room, patients who present spontaneously are assessed and then possibly referred to the CHSF’s Maison Médicale de Garde”, the organization continued. “Patients whose care requires access to the technical platform are transferred to another establishment.”
The hospital’s administration has not provided further updates on the situation, BleepingComputer notes. In addition, the IT system outage that enforced reduced operations still plagues the establishment, they say. According to Le Monde, which has info from the country’s law enforcement agencies, the ransomware actors that hit CHSF demanded a $10,000,000 ransom payment in exchange for a decryption key.
“An investigation for intrusion into the computer system and for attempted extortion in an organized gang has been opened to the cybercrime section of the Paris prosecutor’s office”, a police source told Le Monde, specifying that “the investigations were entrusted to the gendarmes of the Center fight against digital crime (C3N)”.
LockBit is suspect
French cybersecurity journalist Valéry Riess-Marchive identified signs of a LockBit 3.0 infection, mentioning that the handling by the national gendarmerie is a clue pointing to that direction, as this service deals with Rangar Locker and LockBit attacks.
If LockBit 3.0 is responsible for the attack on CHSF, it violates the RaaS program’s rules, which prohibit affiliates from encrypting systems of healthcare providers. At this time, the attribution to the particular threat group hasn’t been confirmed yet. Furthermore, LockBit 3.0’s extortion site contains no entry for CHSF yet, so their involvement remains a hypothesis.