Hospitals Return To Paper Systems as Ransomware Takes Hold on Health Service

Ransomware has gripped the health service in France, as two hospitals have opted to return to paper systems to continue their work without technology while the infection holds. The hospitals at Dax and Villefranche-sur-Saône were forced to shut off the internet and other networks to stop the ransomware infection from spreading. The hackers also shut off the hospitals’ telephone systems.

The attacks are a part of a wider ransomware campaign on Frances’ health service. Though still early in the year, several French hospitals have been hit with ransomware, prompting a general warning from the Health Minister. President Macron has pledged €1bn to combat cybersecurity issues in the country a few days ago.

The National Information Systems Security Agency (Anssi) has been working to repair the systems at Dax and Villefranche-sur-Saône, though full restorations are expected to take weeks.

Ransomware has targeted the health industry for many years. However, most people only became aware of this during the WannaCry attacks of 2017, which crippled the National Health Service in the United Kingdom.

The chief goal of Ransomware is always to enable the hackers to make money from the attack. Preferably for the hackers, this means that the target will pay the ransom upfront and will have their files decrypted.

If the target does not pay the ransomware, the encrypted files are most commonly returned to the hackers via a backdoor the virus has established. Once on the hackers’ end, the files will be decrypted and sold on the Dark Web.

Medical records are somewhat the bread-and-butter and stolen data that can be sold on the dark web. Often these contain Personally identifiable information (PII). PII has enough content to identify an individual, which is enough to commit identity theft in many cases. This gives medical records measurable value on the dark web, as using these records for nefarious ends can be lucrative.

CybelAngel, a leader in digital threat research, has been studying the ransomware attacks on French hospitals and has identified the medical records being sold on the dark web. Neither of the hospitals at Dax and Villefranche-sur-Saône paid the ransom, so the data is on sale. CybelAngel has reported as many as 500,000 of these records are currently on the Dark Web from the attacks.

Ransomware Attack Vector


Although the hackers’ identity has not been revealed or is unknown, there are some details known concerning the attack vector and nature of the attacks on Dax and Villefranche-sur-Saône.

It is believed the Ransomware was deployed via a remote access service, using login details possibly harvested via phishing – the attack was well-planned in advance.

As for the ransomware itself, it has been confirmed that Ryuk was used.

Ryuk is one of the more sophisticated forms of ransomware. It is usually deployed via a trojan, though it has been reported as using several other methods.

Ryuk can lay dormant in a machine’s registry for potentially weeks before being activated. It is most commonly seen in large multi-network entities such as hospitals. It uses the network to propagate after infecting a single device, so hospitals are ideal for a group using Ryuk.

Ryuk has been linked with high-profile hacking organizations such as Lazarus Group in the past.

Other Ransomware Attacks in France


The last 12 months have seen a sharp increase in Ransomware attacks in France, which have risen 255% since 2019.

The attacks have been on several industries, including the education system and digital service provides, although the hardest hit group has been the healthcare system.

France is not alone in this; nearly every country globally has reported a staggering amount of Ransomware attacks in the last year.

One must view the larger context for these attacks through the lens of the COVID-19 Pandemic. Changes in how hospitals operate and how they handle patients have meant upscaling systems or switches to new systems entirely.

At times like these, where sensitive medical records are being sent from system to system, Ransomware often finds a place to flourish.

Among other targets hit in this new wave of attacks in France has been Mutuelle Nationale des Hospitaliers (MNH). MNH is a healthcare insurance company that provides services to all public and private medical professionals. MNH was hit with Ransomware in early February, and they were forced to cease all operations during the attack.

MNH was hit by the RansomExx group, who use a variation on the popular ransomware family Defray777. The group has previously targeted the Texas Department of Transportation, Brazilian government networks, IPG Photonics, Tyler Technologies, and Konica Minolta. It is unknown if this group were also behind the attack on the hospitals at Dax and Villefranche-sur-Saône.

What You Can Do About Ransomware

A common mistake is believing that all Ransomware attacks are large-scale industrial assaults that don’t target homes or small to medium businesses. In reality, the majority of Ransomware targets these entities. While not as lucrative for the hackers, using smaller targets means government or federal authorities are less likely to intervene, and thus the victim more likely to pay the ransom.

We are seeing a renaissance across the board for all forms of Malware, fueled by a work-from-home society and an increasingly connected community.

In times like these, it is important to have the right tools to ensure you or your business don’t fall victim. SaferNet was built as one of these tools.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members’ devices; including activity, time spent online, and threats blocked.



Leave a Reply

Your email address will not be published. Required fields are marked *