07 December 2023

Cyberattack at the Versailles hospital center: the trail of a LockBit usurper

According to a report dated 6 December 2022, the attack on the French hospital André Mignot located in Versailles was carried out using ransomware containing the same computer traces as the well-known LockBit Black ransomware. In addition, the Tor addresses of the storefront and negotiation sites listed in the ransom notes are indeed those of the LockBit 3.0 franchise, but none of the decryption credentials are recognised. It is likely that this attack was carried out by another group than LockBit, but that it used the same tools, leaving the same trace. Indeed, in September, it was noted that following an internal conflict within the group, the LockBit builder had been leaked on the net and thus made freely available to anyone wishing to build their own ransomware with this technical base. It is therefore likely that one of these projects was successful and that a new actor attempted a large-scale attack with this LockBit-based ransomware.