Sud-Francilien hospital center: a patient attacker, but without compassion
Sud-Francilien hospital center: a patient attacker, but without compassion
The discussion between the trustee of the LockBit 3.0 franchise and an interlocutor for the Sud-Francilien hospital center highlights at the very least, a lack of understanding, if not bad faith, even indifference.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Published on: Sep 08, 2022
Bad faith, misunderstanding, or indifference? The discussion between the LockBit 3.0 franchise agent and an interlocutor for the Sud-Francilien hospital center in Corbeille-Essonnes, whom LeMagIT was able to consult, brings out a cybercriminal convinced of dealing with a commercial company, such as a private clinic, not a public hospital. And this despite the insistence of his victim.
The discussion began on August 24, in French on the side of the victim: “hello, we take your attack on our establishment seriously into account. Who are you ? And what do you really want to do what you do? [sic]"
This is where the attacker formulated his ransom demand: 1 million dollars, in bitcoin, not 10 million as previously indicated by several of our colleagues. For the trustee, this amount “is not too big for your business [sic]. We did not set a high price because we respect health”.
On the victim side, the suspicion of a misunderstanding of his real nature immediately appears: “Do you really know who you attacked? And the current and future consequences that this may have for us, for the people in our establishment, for you? » The decryption keys are requested immediately.
Believed to have hit a for-profit organization…
But the assailant seems convinced of having struck "a commercial enterprise", "which makes money". On the victim side, the interlocutor insists: “I am surprised to see that you have no idea who we really are! We are a public hospital. With all that this entails as poor means, financial, material and personnel”. And to provide some links to support his point.
Screenshot of an excerpt from the discussion between an interlocutor for the CHSF and the attacker.LEMAGIT
Excerpt from the discussion between an interlocutor for the CHSF and the attacker.
In response, the defendant advances the link to the ZoomInfo page of the hospital center. Its mere existence is likely to have misled it, but this service is regularly used by cybercriminals to show and assess targets. Initial access brokers also use it to showcase the access they have in store.
And the attacker insists, relaunching the discussion on the ground of turnover, operating losses, and reputation, convinced, it seems, of having affected a commercial enterprise like any other. Unless it's only bad faith… to avoid incurring the wrath of franchise operators.
… Or simply in bad faith?
Because LockBit 3.0 sets reservations to its followers for attacks against targets in the health sector, but not a general ban. Thus, we can read on the franchise's window, "it is prohibited to encrypt establishments where damage to files could lead to death, such as heart centers, neurosurgery departments, maternity hospitals and others, it that is, establishments where surgical procedures on high-tech equipment using computers can be carried out”.
However, “it is permissible to steal data from any medical institution without encrypting it, as it may constitute a medical secret and must be strictly protected according to law. If you are unable to determine whether or not a particular medical organization can be attacked, contact the help desk”.
But in the case of the CHSF, the cybercriminal is convinced: “we know your situation, none of your patients will die”. The initially advanced amount of $10 million will appear in conversation the day after this assertion, August 27, as a threat: "If you don't pay $1,000,000 by August 30, the price will be $10,000 $000 as in your public statement”.
Even indifferent
Firm and determined to try to get paid, the attacker nevertheless acceded to a few requests, in particular the decryption of a file too large to be automatically processed by the web chat interface, limited to 50 KB. But on September 2, he made himself urgent, indicating that all this “is taking too long. My boss is not happy with this situation”. However, he will have waited until September 7 to present the claim he is about to publish . A week after the last message from his victim. And there is no question, in this preclaim, of asking for 10 million dollars. It's still $1 million, whether it's for downloading or destroying the stolen data.
Screenshot of the attacker's threat to revise their demands upwards.LEMAGIT
The striker threatens to revise his demands upwards.
Joined by the editorial staff on August 26, the communication department of the Sud-Francilien hospital center declined to comment and forwarded our questions to the National Information Systems Security Agency (Anssi), which did not come back to us. On September 2, a spokesperson for the C3N of the national gendarmerie, in the information and public relations service of the armies (Sirpa), refused to comment.
The director of the CHSF for his part previously confided to our colleagues from AFP that “no establishment has paid and will not pay” the ransom, because of its status as a public establishment. According to the elements of the discussion followed by LeMagIT , no ransom was paid. At most, one interlocutor for the victim could have given the impression, on August 27, that a payment was going to occur, presumably to delay claiming the attack somewhat .
The day before, the Minister of Health, François Braun, had assured: "the health of the French will not be taken hostage". And to announce the release of an additional 20 million euros to improve the security posture of health establishments .
The discussion between the trustee of the LockBit 3.0 franchise and an interlocutor for the Sud-Francilien hospital center highlights at the very least, a lack of understanding, if not bad faith, even indifference.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Published on: Sep 08, 2022
Bad faith, misunderstanding, or indifference? The discussion between the LockBit 3.0 franchise agent and an interlocutor for the Sud-Francilien hospital center in Corbeille-Essonnes, whom LeMagIT was able to consult, brings out a cybercriminal convinced of dealing with a commercial company, such as a private clinic, not a public hospital. And this despite the insistence of his victim.
The discussion began on August 24, in French on the side of the victim: “hello, we take your attack on our establishment seriously into account. Who are you ? And what do you really want to do what you do? [sic]"
This is where the attacker formulated his ransom demand: 1 million dollars, in bitcoin, not 10 million as previously indicated by several of our colleagues. For the trustee, this amount “is not too big for your business [sic]. We did not set a high price because we respect health”.
On the victim side, the suspicion of a misunderstanding of his real nature immediately appears: “Do you really know who you attacked? And the current and future consequences that this may have for us, for the people in our establishment, for you? » The decryption keys are requested immediately.
Believed to have hit a for-profit organization…
But the assailant seems convinced of having struck "a commercial enterprise", "which makes money". On the victim side, the interlocutor insists: “I am surprised to see that you have no idea who we really are! We are a public hospital. With all that this entails as poor means, financial, material and personnel”. And to provide some links to support his point.
Screenshot of an excerpt from the discussion between an interlocutor for the CHSF and the attacker.LEMAGIT
Excerpt from the discussion between an interlocutor for the CHSF and the attacker.
In response, the defendant advances the link to the ZoomInfo page of the hospital center. Its mere existence is likely to have misled it, but this service is regularly used by cybercriminals to show and assess targets. Initial access brokers also use it to showcase the access they have in store.
And the attacker insists, relaunching the discussion on the ground of turnover, operating losses, and reputation, convinced, it seems, of having affected a commercial enterprise like any other. Unless it's only bad faith… to avoid incurring the wrath of franchise operators.
… Or simply in bad faith?
Because LockBit 3.0 sets reservations to its followers for attacks against targets in the health sector, but not a general ban. Thus, we can read on the franchise's window, "it is prohibited to encrypt establishments where damage to files could lead to death, such as heart centers, neurosurgery departments, maternity hospitals and others, it that is, establishments where surgical procedures on high-tech equipment using computers can be carried out”.
However, “it is permissible to steal data from any medical institution without encrypting it, as it may constitute a medical secret and must be strictly protected according to law. If you are unable to determine whether or not a particular medical organization can be attacked, contact the help desk”.
But in the case of the CHSF, the cybercriminal is convinced: “we know your situation, none of your patients will die”. The initially advanced amount of $10 million will appear in conversation the day after this assertion, August 27, as a threat: "If you don't pay $1,000,000 by August 30, the price will be $10,000 $000 as in your public statement”.
Even indifferent
Firm and determined to try to get paid, the attacker nevertheless acceded to a few requests, in particular the decryption of a file too large to be automatically processed by the web chat interface, limited to 50 KB. But on September 2, he made himself urgent, indicating that all this “is taking too long. My boss is not happy with this situation”. However, he will have waited until September 7 to present the claim he is about to publish . A week after the last message from his victim. And there is no question, in this preclaim, of asking for 10 million dollars. It's still $1 million, whether it's for downloading or destroying the stolen data.
Screenshot of the attacker's threat to revise their demands upwards.LEMAGIT
The striker threatens to revise his demands upwards.
Joined by the editorial staff on August 26, the communication department of the Sud-Francilien hospital center declined to comment and forwarded our questions to the National Information Systems Security Agency (Anssi), which did not come back to us. On September 2, a spokesperson for the C3N of the national gendarmerie, in the information and public relations service of the armies (Sirpa), refused to comment.
The director of the CHSF for his part previously confided to our colleagues from AFP that “no establishment has paid and will not pay” the ransom, because of its status as a public establishment. According to the elements of the discussion followed by LeMagIT , no ransom was paid. At most, one interlocutor for the victim could have given the impression, on August 27, that a payment was going to occur, presumably to delay claiming the attack somewhat .
The day before, the Minister of Health, François Braun, had assured: "the health of the French will not be taken hostage". And to announce the release of an additional 20 million euros to improve the security posture of health establishments .
