"The care of patients is not endangered", indicated the Minister of Health, François Braun, on Tuesday during a visit to Montpellier, specifying that patients coming under "severe technical platforms" were " redirected by the Samu to other hospitals".
Same reassuring tone at the level of the management of the establishment where the situation was the same as the day before: the work is done "by hand, without the help of computers". "We are working in degraded mode, not for the patient, but for us," she told AFP.
The South Francilien Hospital Center (CHSF) in Corbeil-Essonnes, south-east of Paris, has been the victim of a computer attack since the night of Saturday to Sunday around 01:00. A ransom demand of 10 million dollars, formulated in English, was demanded by the hacker(s).
"It's a cyberattack as unfortunately there are in all establishments, (...) as there are regularly unfortunately. We will not give in", assured Mr. Braun.
In recent years, the number of cyberattacks has greatly increased and they no longer spare healthcare establishments, even if they are not necessarily a priority target.
In 2021, the National Authority for the Security and Defense of Information Systems (Anssi) noted on average one incident of this type per week in a health establishment in France.
“Hackers have particularly wide targets, they go fishing. It is essentially the lure of profit that motivates them, even if some may also have ideological motivations, revenge,” the general told AFP. Christophe Husson, second in command of the Cyberspace Gendarmerie Command (ComCyberGend), recalling that the "global cost of cybercrime is estimated at 6 billion dollars per year".
- "digital evidence" -
For a long time, "many threat actors had an unspoken rule to leave hospitals alone", underlines Fabien Rech of the American computer security company Trellix. “However, given the current deterioration of relations between Eastern and Western countries and the fact that a number of ransomware operators are affiliated with countries of the former USSR, we suspect that Western hospitals were put back on the target list."
The Paris prosecutor's office announced on Monday the opening of an investigation for intrusion into the computer system and attempted extortion by an organized gang, supervised by its cybercrime section. The investigations were entrusted to the gendarmes of the Center for the Fight against Digital Crime.
According to a source close to the investigation, the ransomware belongs to the Lockbit group. Around 100 affiliates participate in the group's activities, according to an interview cited recently by cybersecurity specialist Damien Bancal on his blog Zataz.com.
This galaxy of specialists revolves around a software, a common platform offering all the tools to carry out the attack. They collaborate together with professional methods and share the ransoms.
Lockbit is active worldwide (USA, China, India, Indonesia, Ukraine, France, UK, Germany...) but seems to avoid attacking targets in Russia and CIS countries, probably "to avoid prosecution in these regions," according to cybersecurity firm Kaspersky. At the time of the Russian offensive in Ukraine, Lockbit made it known that it was "apolitical" and did not seek to meddle in the conflict.
The purpose of the cybergendarmes' investigation is to collect "digital evidence" to "identify the perpetrators, locate them and arrest them". These investigations are "always very long, can last several months or even several years" and require significant international cooperation, warns General Husson.