Ransomware Attack On French Hospital Threatens Lives With $10M Extortion Scheme
Over the weekend, a ransomware attack hit a French hospital, forcing the facility to turn away patients. The staff of the affected hospital, the Centre Hospitalier Sud Francilien (CHSF), has had to return to using pen and paper to keep track of patients, as the main computer systems have been rendered inaccessible. Thankfully, CHSF seems to have already had a plan in place to deal with situations like these, and France’s National Information Systems Security Agency (ANSSI) has dispatched experts to provide assistance. Nonetheless, this ransomware attack poses a potential threat to the health of those seeking medical attention at CHSF.
CHSF published a notice announcing that the hospital would no longer be able to handle all but the most pressing emergencies for the time being. All other incoming patients are assessed and referred to other hospitals as needed. As for patients already under the hospital’s care, the staff are having to move some of these patients to other hospitals due to the facility’s technical equipment operating in a degraded mode.
The attackers are reported to have demanded a ransom of $10 million, which is an abnormally high number for a ransomware extortion fee. In Q2 2022, the average ransomware payment was $228,125, while the median fee was just $36,360. No ransomware group has yet come forward to claim responsibility for the attack. However, a French news publication claims that the ransomware deployed on CHSF’s computer systems belongs to LockBit, according to “a source close to the investigation.” LockBit is one of the most active ransomware gangs as of late and recently extorted an entire town.
LockBit operates as a ransomware-as-a-service (RaaS) program, providing ransomware to a number of different affiliates that conduct ransomware attacks independently. The group’s dedicated leak site lists a number of recent victims, but CHSF is not among them. If a LockBit affiliate did carry out this attack, it would seem to be in violation of LockBit’s affiliate rules, which state the following: “It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed.” If LockBit ransomware was used in the attack against CHSF, this rule may explain why the group has not threatened to publish stolen data on its website.
CHSF published a notice announcing that the hospital would no longer be able to handle all but the most pressing emergencies for the time being. All other incoming patients are assessed and referred to other hospitals as needed. As for patients already under the hospital’s care, the staff are having to move some of these patients to other hospitals due to the facility’s technical equipment operating in a degraded mode.
The attackers are reported to have demanded a ransom of $10 million, which is an abnormally high number for a ransomware extortion fee. In Q2 2022, the average ransomware payment was $228,125, while the median fee was just $36,360. No ransomware group has yet come forward to claim responsibility for the attack. However, a French news publication claims that the ransomware deployed on CHSF’s computer systems belongs to LockBit, according to “a source close to the investigation.” LockBit is one of the most active ransomware gangs as of late and recently extorted an entire town.
LockBit operates as a ransomware-as-a-service (RaaS) program, providing ransomware to a number of different affiliates that conduct ransomware attacks independently. The group’s dedicated leak site lists a number of recent victims, but CHSF is not among them. If a LockBit affiliate did carry out this attack, it would seem to be in violation of LockBit’s affiliate rules, which state the following: “It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed.” If LockBit ransomware was used in the attack against CHSF, this rule may explain why the group has not threatened to publish stolen data on its website.
