Cyber Incident Victim: Caisse Centrale de RĂ©assurance SA
Date:
Jul 2022
Location:
France
Summary
A French public reinsurer specializing in natural disaster coverage experienced a ransomware attack claimed by a previously unknown group, Lilith, which threatened to leak over 1 terabyte of stolen data. The incident caused significant service disruptions, including the takedown of the company's website, and involved malware appending a ".Lilith" extension to encrypted files. Lilith initially publicized the attack on its dedicated platform but removed the claim days later, while cybersecurity analysts examined emerging samples of the ransomware. The organization did not publicly comment on the incident during initial media inquiries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 4, 2022, the Caisse Centrale de RĂ©assurance SA (CCR) experienced a significant cybersecurity incident characterized by service disruptions affecting its public-facing systems, including its corporate website. External observations indicated the group had halted multiple IT services, with evidence pointing to ransomware deployment within its infrastructure. The malware appended the ".Lilith" extension to encrypted files, though initial technical analysis was hindered by the absence of available malware samples. CCR, a state-owned reinsurer specializing in natural disaster coverage and uninsurable risks, maintained public silence during the initial phase despite media inquiries. By July 6, a previously unknown threat group named Lilith claimed responsibility through a newly established dark web portal, alleging exfiltration of 1.1 terabytes of data while threatening public disclosure. The claim lacked typical ransomware negotiation features such as countdown timers or ransom demands.
The attack prompted CCR to proactively isolate its systems from external networks to contain potential lateral movement, though the organization did not issue official statements regarding operational impacts or remediation efforts. Security analysts confirmed Lilith's emergence as a new ransomware franchise based on the unique file encryption signature and dedicated leak site. The threat actors removed their claim against CCR from the leak site by July 8, leaving the portal empty by July 11 without explanation. No subsequent data leaks or communications from either party were documented in the reporting period. The incident exposed operational vulnerabilities at a globally ranked reinsurer with AA/A+ financial ratings, though specific impacts on business continuity, data integrity, or financial performance remained unconfirmed due to CCR's non-disclosure. The group's status as a wholly state-owned entity since 1992 introduced potential implications for national risk management systems, given its role in stabilizing insurance markets against catastrophic events.