Cyber Incident Victim: Royatonic
Date:
Jul 2021
Location:
France
Summary
A ransomware attack targeted a French spa, forcing a temporary closure after server access was blocked and operations paralyzed. The attacker, described as a lower-tier Russian actor, demanded a ransom of less than one bitcoin but no data theft was confirmed. The incident disrupted daily operations affecting approximately 1,200 customers and caused significant turnover loss. Management prioritized reopening within two weeks using contingency plans while considering ethical and practical implications of paying the ransom but had not finalized their decision.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 9, 2021, Royatonic, a spa facility in France, experienced a ransomware attack that disrupted its operations. The attack blocked access to the spa’s server, paralyzing all business activities including reservation systems, subscription recharges, and gift voucher sales. By July 12, the disruption forced Royatonic to close its doors indefinitely, with a public notice posted on its website and social media channels informing customers of the cyberattack. The spa’s director, Dominique Ferrandon, confirmed to media outlets that a Russian hacker had cryptolocked their server, demanding a ransom of less than one bitcoin (valued under €28,000 at the time) to restore access. Ferrandon characterized the attacker as a "third division" hacker, noting the relatively low ransom demand was likely intended to incentivize payment. While the spa confirmed no data theft or broader system hacking occurred, the server encryption rendered critical operational tools inoperable. Initial communications with the attacker were established, but Royatonic simultaneously pursued a "Plan B" recovery strategy to bypass the ransom demand.
As of July 15, 2021, Royatonic remained closed, with recovery efforts ongoing and no confirmed timeline for resuming operations. Ferrandon stated the priority was reopening within 15 days, though this would require rebuilding the client file, risking permanent loss of customer records. The closure impacted approximately 1,200 daily visitors, translating to significant turnover losses compounded by prior pandemic-related financial strains. Royatonic’s leadership expressed ethical and practical reservations about paying the ransom but did not categorically rule it out, acknowledging the need to weigh consequences against the ransom amount. Technical details about the attack vector, malware variant, or server infrastructure were not disclosed publicly. The incident highlighted operational vulnerabilities, as the spa lacked immediate redundancies to maintain reservations or sales during the outage. No third-party cybersecurity assistance or law enforcement involvement was mentioned in available reports.