The Lockbit Ransomware Attack on Sud-Francilien Hospital

The Lockbit ransomware gang has attacked the Sud-Francilien Hospital. On Monday, August 22, the RMC (Regional Medical Center) disclosed that the Sud-Francilien hospital center (CHSF) in Corbeil-Essonnes had experienced a ransomware cyberattack over the weekend. However, this incident was not the initial phase but rather the culmination of an attack that had been launched ten days earlier, as per the findings of a technical investigation carried out by the National Agency for Information Systems Security (Anssi).

According to the investigation, the attacker initiated the breach of the CHSF information system around August 10 by exploiting virtual private network (VPN) access, thereby compromising the account of an external third-party provider. The suspicion of an account misappropriation by a provider emerged on August 25, but the latest information available to us does not confirm this.

The access to the CHSF information system was apparently carried out using a Windows 10 or Server 2016 virtual machine hosted on the AWS EC2 cloud platform. Subsequently, the attacker utilized the remote access tool Anydesk for lateral movements within the network and employed PCHunter to disable the protection systems on workstations and servers. Additionally, the attacker took measures to deactivate and delete Shadow Copies, the native backup previews generated by Windows, as well as disabling Defender. Data was exfiltrated to servers associated with the Cloud Mega storage service.

Even the virtualized environment of CHSF was not spared. Just ninety minutes after the release of the latest version of LockBit Black ransomware on Windows, which has been effectively utilized by the LockBit criminal group and its affiliates since early May, the attacker targeted the ESXi hosts. Accessing the hosts as root through the SSH interface, the attacker executed the Linux/ESXi variant of the ransomware.