Lockbit attacks Sud-Francilien Hospital

Incident Date:

August 25, 2022

World map



Lockbit attacks Sud-Francilien Hospital


Sud-Francilien Hospital




Paris, France

, France

First Reported

August 25, 2022

The Lockbit Ransomware Attack on Sud-Francilien Hospital

The Lockbit ransomware gang has attacked the Sud-Francilien Hospital. On Monday, August 22, the RMC (Regional Medical Center) disclosed that the Sud-Francilien hospital center (CHSF) in Corbeil-Essonnes had experienced a ransomware cyberattack over the weekend. However, this incident was not the initial phase but rather the culmination of an attack that had been launched ten days earlier, as per the findings of a technical investigation carried out by the National Agency for Information Systems Security (Anssi).

According to the investigation, the attacker initiated the breach of the CHSF information system around August 10 by exploiting virtual private network (VPN) access, thereby compromising the account of an external third-party provider. The suspicion of an account misappropriation by a provider emerged on August 25, but the latest information available to us does not confirm this.

The access to the CHSF information system was apparently carried out using a Windows 10 or Server 2016 virtual machine hosted on the AWS EC2 cloud platform. Subsequently, the attacker utilized the remote access tool Anydesk for lateral movements within the network and employed PCHunter to disable the protection systems on workstations and servers. Additionally, the attacker took measures to deactivate and delete Shadow Copies, the native backup previews generated by Windows, as well as disabling Defender. Data was exfiltrated to servers associated with the Cloud Mega storage service.

Even the virtualized environment of CHSF was not spared. Just ninety minutes after the release of the latest version of LockBit Black ransomware on Windows, which has been effectively utilized by the LockBit criminal group and its affiliates since early May, the attacker targeted the ESXi hosts. Accessing the hosts as root through the SSH interface, the attacker executed the Linux/ESXi variant of the ransomware.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.