A hospital in southwest France is scrambling to recover from a ransomware attack that has caused significant operational disruption.

In a tweet posted on February 11, the Center Hospitalier de Dax-Côte d’Argent revealed that it had fallen prey to a cyber-attack and was trying to restore systems that included the telephone switchboard.

Convalescence

Cybersecurity vendor Avast said that patient care had been impaired in a French-language blog post (Avast verified an English translation for The Daily Swig).

Phone lines at the healthcare facility had been partially restored, it added, but encrypted data remained inaccessible as of February 12.

The attack occurred on February 8 and continued into February 9, according to a report in French daily Sud Ouest.

In a press conference held on February 11, the publication continued, senior hospital officials said staff were resorting to pen and paper, and that radiotherapy care was among the most severely disrupted departments.

Officials at the hospital, which has six sites and around 1,000 beds, were quoted as saying that restoration of normal operations could be several weeks away.

The Daily Swig has contacted the hospital for an update on its recovery efforts. We will update the article if we hear back.

Luis Corrons, a security evangelist at Avast, has urged other hospitals to promptly deploy emergency patches for critical software vulnerabilities, train staff in “digital hygiene” best practices, “regularly back up files”, and “suspend all services directly available from the internet”.

He also told The Daily Swig that “IT admins should consider strict whitelisting when it comes to executable files, so that only known and trusted applications can be run on hospital computers.”

Egregor implicated

France Inter has reported that the attackers used the Egregor ransomware, which was first detected in the wild in September 2020 and is notable for mounting so-called ‘double-tap attacks’ that exfiltrate as well as encrypt files.

Other recent Egregor victims have included US retail giant Kmart, the Scottish Environmental Protection Agency, and Translink, the public transport system of Vancouver in Canada.

However, the group’s ability to carry out further attacks has apparently been dented after several Egregor affiliates were arrested in Ukraine last week as part of a joint operation between French and Ukrainian law enforcement – a story also broken by France Inter.

IT Wire has today noted that Egregor’s internet and dark web sites are currently down.

France 3 has reported that a hospital group comprising 11 sites in Dordogne, also in southwest France, had successfully thwarted a ransomware attack after an IT supplier detected Cryptolocker malware on its servers.

“Right now, hospitals are more likely to fall victim to a ransomware attack because cybercriminals can make a lot of money from targeted ransomware campaigns,” said Luis Corrons.

“Also, the introduction of cyber insurance to take care of ransoms is sadly fueling this trend.”

Source: The Daily Swig
Image: Composition of images by Tumisu, CharlVera, OpenClipart-VectorsSinisa Maric and Free Creative Stuff – all from Pixabay