Cyber Incident Victim: South Francilien Hospital Center
Date:
Aug 2022
Location:
France
Summary
A ransomware attack attributed to the LockBit group severely disrupted operations at a French hospital, forcing emergency patient diversions and transfers for specialized care. Critical systems including medical imaging, admissions software, and operating room technologies were rendered inoperable, leaving only phone services functional and significantly prolonging wait times for non-urgent cases. The incident prompted a national investigation and involvement of cybersecurity agencies, with attackers demanding a $10 million ransom. LockBit, known for previous high-profile attacks and its evolving ransomware-as-a-service model, was implicated through a ransom note, compounding the hospital's operational crisis during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 21, 2022, the South Francilien Hospital Center (CHSF) in Corbeil-Essonnes, France, suffered a crippling ransomware attack that severely disrupted hospital operations. The attack, attributed to the LockBit ransomware group by French police sources, targeted critical IT infrastructure early Sunday morning, disabling business software, storage systems—including medical imaging archives—and patient admission systems. Only the hospital’s telephone network remained functional. This technological paralysis forced immediate patient transfers, particularly for those requiring imaging or specialized care, to other facilities in the Île-de-France region. Emergency services were rerouted, and operating rooms faced disruptions due to the outage. The hospital activated a crisis unit to manage care for existing inpatients, though clinicians worked without digital tools, leading to significantly prolonged wait times. Staff publicly urged the public via social media to avoid spontaneous emergency room visits, directing non-critical cases to alternative facilities.
France’s National Cybersecurity Agency (ANSSI) responded to assist CHSF’s recovery efforts, while the Paris prosecutor’s office launched an investigation into the extortion attempt by an organized criminal group. LockBit’s ransom note demanded $10 million, according to reports. Health Minister François Braun acknowledged the hospital was operating in a degraded technological state but emphasized patient safety was not compromised. The national gendarmerie assumed investigative leadership, consistent with France’s protocol for ransomware incidents. LockBit, a prolific ransomware-as-a-service operation, had recently launched an upgraded “Lockbit 3.0” variant and was linked to 58 attacks in July 2022 alone. Prior incidents attributed to the group included attacks on La Poste Mobile in France, a Foxconn factory in Mexico, and aviation and library sectors in Canada and Germany. The CHSF attack exemplified LockBit’s disruptive capabilities amid warnings from analysts about its rising prominence in the ransomware landscape.