Cyber Incident Victim: Conseil régional des Pays de la Loire
Date:
Jul 2024
Location:
France
Summary
A cyberattack targeting a French regional council's economic development agency was claimed by the LockBit ransomware group, known for encrypting data and extorting victims. The attack prompted immediate shutdowns of affected systems, with national cybersecurity experts mobilizing to investigate and restore operations. LockBit's tactics involve demanding ransom payments under threat of leaking stolen documents on the darkweb; investigations by Paris prosecutors and cybercrime units are ongoing. The group, previously disrupted by international law enforcement, is notorious for targeting critical infrastructure and causing significant financial damages through data theft and extortion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 11, 2024, the Conseil régional des Pays de la Loire experienced a cyberattack targeting Solutions&Co, its economic development agency. The attack was claimed by the LockBit ransomware group according to an investigative source, despite international law enforcement having disrupted LockBit's operations in February 2024 under Operation Cronos. Upon detection, regional officials immediately shut down all information systems to contain the breach. A coordinated response team was activated, involving the regional Computer Security Incident Response Team (CSIRT), France's National Cybersecurity Agency (ANSSI), and external cybersecurity contractors. By July 19, the agency publicly confirmed the incident while initiating a phased restoration of services. The Paris Prosecutor's Office assumed jurisdiction over the investigation, specifically tasking its cybercrime division with analyzing the unauthorized exfiltration of regional council documents. France's National Gendarmerie Cybercrime Unit also joined the investigation, reflecting the severity of the intrusion.
LockBit employed its characteristic ransomware tactics, encrypting data to extort payment while threatening to auction stolen information on dark web platforms if demands were unmet. The group has historically targeted critical infrastructure entities globally, including financial institutions, postal services, and healthcare providers, accumulating billions in damages. While the regional council withheld confirmation of data compromise or ransom demands, LockBit's operational history suggests significant disruption risks to regional administrative functions and potential exposure of sensitive documents. The incident marks a notable resurgence of LockBit activity following its February 2024 disruption by a ten-nation law enforcement coalition, which had previously seized infrastructure and compromised the group's criminal enterprise. Regional authorities maintained operational silence regarding specific impacts but emphasized containment measures through system isolation and expert-led forensic analysis during the ongoing recovery phase.