LockBit ransomware group implicated in crippling attack on French hospital

French police sources have named the LockBit ransomware group as the culprits behind the devastating attack on a hospital in France.

Center Hospital Sud Francilien (CHSF) in Corbeil-Essonnes — about an hour south-east of Paris — announced that it was hit early Sunday with a cyberattack that crippled the hospital's “business software, storage systems (in particular medical imaging) and the information system relating to patient admissions.”

France’s national cybersecurity agency, Agence nationale de la sécurité des systèmes d'information (ANSSI), was contacted shortly after the incident and have been helping the hospital respond.

For patients who needed care that required technology, the hospital said it immediately had to transfer them to other hospitals in the Île-de-France region. Emergency patients are being rerouted to other hospitals as well. 

“With regard to people hospitalized in the establishment, the crisis unit has put in place the necessary measures for their care,” the company said. 

It added that the operating rooms would also be affected by the technological outage. The hospital’s phone system was the only technology asset still running. 

On Tuesday, the hospital said its health professionals were “currently working without the help of IT, which is generating much longer than average wait times.” Those in need of help are urged to contact the emergency call center.

“The establishment asks people to avoid coming to the emergency room spontaneously,” the hospital said. 

Some doctors even took to Facebook to warn potential patients that services were severely limited due to the outages. 

Agence France-Presse reported on Tuesday that the Paris prosecutor’s office has opened an investigation into the attack and confirmed that there has been “an attempted extortion by an organized gang.”

French Minister of Health François Braun said they "are working in degraded mode, not for the patient, but for us," but reiterated that patient care "is not endangered."

A source told the news outlet that the ransom note came from the LockBit group. French outlet RMC added that the ransom demand was for $10 million. 

The national gendarmerie is leading the investigation, according to Le Monde and LeMagIT, because ransomware attack response is split between law enforcement agencies in France.

The national police typically deal with ransomware attacks from the Hive and Vice Society gangs while the gendarmerie gets involved with the LockBit or Ragnar Locker ransomware groups.

LockBit, a ransomware-as-a-service operation that recently became the most prolific group in terms of publicly-claimed victims, was linked to 58 attacks in July — a slowdown from previous months.

But researchers have warned that the group could pick up steam following its launch of “Lockbit 3.0,” which reportedly introduced a bug bounty program and other technical updates. 

Matt Hull, global lead for strategic threat intelligence at U.K.-based NCC Group, wrote in a report last month that LockBit is likely to take over for Conti as the most prominent — and brazen — ransomware group.

Lockbit crippled French mobile phone network La Poste Mobile last month, encrypted more than 1,200 servers during a May attack on a Foxconn factory in Mexico, and launched attacks on a Canadian fighter jet training company as well as a popular German library service. 

Cybersecurity firm Dragos found that LockBit made up 33% of the 125 ransomware attacks on industrial systems in Q2. Their report noted that LockBit is one of the only groups willing to attack the pharmaceutical, mining, and water treatment sectors.

The attack on Center Hospital Sud Francilien comes just two weeks after the United Kingdom's National Health Service struggled to cope with a ransomware attack on an IT provider.

Several NHS departments faced outages, according to The Guardian. Services like dispatches for ambulances, referrals for patients, appointment bookings, prescriptions and more were impacted by the ransomware attack. Officials told staff members that it will take weeks for the system to be restored.