French town of Sartrouville recovering from cyberattack claimed by ransomware gang

The French town of Sartrouville is recovering from a cyberattack that limited services last week.

In a statement on Friday, city officials said their IT department is recovering from a “limited-scale attack” that affected city servers on August 17.

Sartrouville has more than 50,000 residents and is about 45 minutes outside of Paris.

While the town’s statement does not say whether it was a ransomware attack, they explained that their backup systems allowed them to speed up the recovery process.

“The attack, which took place on August 17, only targeted certain computer servers at the town hall. The technical teams immediately took measures to contain and neutralize the incident,” they said.

“Thanks to their vigilance and rapid response, the impact of the attack was limited.” The town also notified the government’s OCLCTIC cybercrime authority.

Officials noted that the town’s IT department has set up a “robust” backup system that allowed them to preserve critical data and “minimize disruption to the operation of municipal services.

Pierre Fond, mayor of Sartrouville, touted the backup system and thanked the IT department for its work.

"We would like to assure our citizens that all necessary measures have been taken to resolve this situation as soon as possible,” he said. “Our IT team is working tirelessly to restore all of our services.”

The Medusa ransomware gang took credit for the attack on Saturday, posting the municipal government to its leak site, according to cybersecurity expert Dominic Alvieri. Le Parisien, which first reported the incident, confirmed that city officials found the Medusa ransomware on their systems.

The newspaper noted that while the local police department was spared, the hackers gained access to financial information of the city, budgets, banking details, medical records and data on local schools.

The group has been behind several brazen incidents in 2023, including a wide-ranging attack on Tonga’s state-owned telecommunications company in February, an Italian company that provides drinking water to nearly half a million people and Minneapolis’ public school district.

In an advisory last year, the Cybersecurity and Infrastructure Security Agency warned that Medusa operates as a Ransomware-as-a-Service (RaaS) model and typically gives affiliates 60% of ransoms while keeping the rest.

“Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks,” they wrote in a joint memo with the U.S. Department of Treasury and the Financial Crimes Enforcement Network last year.

“The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file.”

Several French governments and companies have faced off with ransomware gangs in the last year. The islands of Guadeloupe and Martinique have both dealt with ransomware incidents that limited services while a large hospital and a major mobile phone network were hit with attacks last year.