On December 3, 2022, the Versailles Hospital Center suffered a cyberattack which seriously affected its activity for several weeks. To prevent the spread of ransomware, hospital management cut off the entire network and urgently activated a crisis unit in conjunction with the Ile-de-France Regional Health Agency (ARS).
ANSSI teams and Orange Cyberdefense CERT experts were also called upon to help the GHT Yvelines Sud CISO, Antoine Toutain, resolve the crisis.
In an interview, Antoine Toutain shared his feedback on behind-the-scenes crisis management and the activation of the malware protection solution offered by Orange Cyberdefense.
On December 3, 2022, in the middle of the weekend, around 9 p.m., the first ransom demand messages appeared on workstations.
The on-call teams quickly understood that a cyberattack was taking place on the establishment's computer network.
A crisis unit was set up and the IT team was urgently called back to reduce the scope of the threat to the information system (IS).
“We took the radical decision to shut down the network and servers and confine the 3,000 workstations, to stop the spread of the attack. A detailed analysis was then carried out to trace the origin of the attack and identify signs of compromise,” explains Antoine Toutain.
“To carry out these steps we called on the ANSSI teams and Cyber Security players including CSIRT from Orange Cyberdefense. The latter supported us in the reconstruction part of the network and in the coordination of the various technical projects, in particular in the compliance and adaptation of the rules of the Active Directory after their tightening recommended by the ANSSI", continues Antoine Toutain.
When the attack was discovered, one of the first decisions made was to immediately lock down workstations and disconnect the network. However, the risk was that users would turn on their local workstation again and use a USB key to recover their data, potentially re-infecting other machines a few months later. To avoid this, the Orange Cyberdefense teams urgently sent a Malware Cleaner terminal.
“Unable to prevent this type of behavior, we needed to find a solution to ensure that the USB drives used by staff were safe.
All the antiviruses included in the terminal were unable to detect this brand new malicious load. But we were quickly able to integrate into the solution the signs of compromise, discovered by the investigation teams, to ensure that this new malware was detected and thus have complete confidence in the analysis results.
Throughout the reconstruction phase, a person from the IT team was responsible for analyzing all USB keys used by agents via this solution. The infected keys were kept by the security team, the others were given to staff.
We have carried out more than 900 analyzes since the start of the incident. The Malware Cleaner terminal was therefore very useful in reassuring staff but also in clearing up doubts and thus preventing any spread of the attack. », explains Antoine Toutain.
Easy to use, efficient and practical, the Malware Cleaner solution played an important role in our reconstruction phase. Even if the threat did not arrive via a USB key, it could be redeployed this way, the USB key being a real attack vector.”
Malware Cleaner was developed by CERT Orange Cyberdefense experts to provide comprehensive protection against potential threats, with eight complementary antiviruses as well as workstation protection via the Malware Cleaner agent.
In addition, the solution is highly configurable and can be configured according to company security policies, which makes it perfectly adaptable to the company's needs and business challenges. Update options, online or offline, allow for flexible and convenient updating of the solution, and businesses and public institutions can rest assured that Malware Cleaner will help them stay compliant with current regulations.
Malware Cleaner also offers advanced features such as USB ADB detection and remote scanning of suspicious files, providing an added advantage in detecting and preventing potential threats. With this solution, doubts about workstations can be safely removed, helping to protect information systems against malware and other potential threats.
Hospitals represent prime targets for cyberattackers, particularly since the advent of the Covid pandemic which has led to an increase in attacks. Indeed, according to the latest data from ANSSI, public health establishments represented nearly 10% of victims of ransomware compromises in 2022, which represents an increase compared to last year. In order to protect themselves against these growing threats, businesses and public establishments must have a complete anti-malware protection solution such as Malware Cleaner, developed by the Orange Cyberdefense CERT teams. By opting for such a solution, these organizations can not only protect their activity, but also comply with the legal standards in force in France and Europe, while making their employees aware of the risks linked to computer threats.