Coaxis and Guyamier hit by violent ransomware cyberattacks

« This is probably the most serious cyberattack in years in the region, although it is more of an attack of opportunity than a targeted action. », Judge Guy Flament, director of the Cyber ​​Campus Nouvelle-Aquitaine. The attack indeed had very serious consequences for Coaxis, a Lot-et-Garonne company specializing in hosting sensitive data, and for its 1,500 clients including 1,200 accounting firms. “During the night of December 7 to 8, our teams observed the unavailability of our systems. It is today confirmed that we have faced a security incident by ransomware from the group Lockbit 3.0 »,

indicates the company with around a hundred employees, 18 million euros in turnover. Ransomware consists of blocking digital data and carrying out double blackmail of payment of ransom and dissemination of data.

AI, cybersecurity: are you ready for 2024? La Tribune returns to Bordeaux on January 18 More than a month later, the situation is finally restored at the cost of intense efforts as demonstrated by Joseph Veigas, the director of Coaxis, this Tuesday, January 16:

“Our customers have been severely penalized. All our systems were unavailable for eight days before gradually recovering: 16% of systems restored on December 23, then 80% on January 4 and, finally, 100% on January 8 after a month of relentless effort! »

“It was violent, very striking” Host of sensitive data, Coaxis, which was supported by its service provider Orange Cyberdéfense (OCD), ensures that no data belonging to its customers has been stolen. “We had business continuity and recovery plans and we had conducted internal exercises so that everyone knew what to do in the crisis unit. But despite all that, we had not envisaged a crisis of this magnitude, on such a scope… It was violent, very striking, and I salute the remarkable investment of our employees, particularly during the holidays,”

continues Joseph Veigas. All contaminated systems were destroyed and replaced by new machines while the OCD teams and the gendarmes of the C3N (Center for the Fight against Digital Crime) took charge of the investigation. The breach would come from one of Coaxis’ clients where C3N went to seize computers.“For our part, in accordance with procedures, we have chosen not to pay the ransom of several million euros or even to come into contact with the attackers”

specifies the business manager who has not yet quantified the total financial impact for Coaxis but is already estimating the cost of the restart in hundreds of thousands of euros.

Cybersecurity: why threats are higher than ever

Better anticipate crisis communication

With hindsight, the business manager is pleased that no customer data was exfiltrated and that he was able to rely on well-established procedures to restart even if the account is not completely there: « We did not know how to control the time factor to restart all the systems in a secure manner. We were counting on three weeks, it ended up taking a month, note Joseph Veigas There is a definite gap between the seriousness of the situation and the external perception that we may have of the simplicity of a restart. We will therefore prepare a crisis communication plan with our customers with more exchanges and transparency.

»

An unsecured printer A few days before Coaxis, the regional carrier Guyamier (350 employees, 35 million euros in turnover) was also the victim of a ransomware attack. “ On December 5 at 8:30 a.m., it was no longer possible to connect to our system, we understood that we were under attack. We immediately unplugged the entire system and called the police. The Cyber ​​Campus teams were on site the next morning! », remembers Nicolas Guyamier. The technical investigation progresses and the entry point is quickly identified: “ It’s a printer from one of our subsidiaries installed ten days earlier. The service provider did not check if the scanner was protected, so it was unlocked which is the same as leaving your door wide open », laments the business manager who mentions “ a frank discussion with the provider on this subject

». With ultimately consequences less worse than anticipated for the Gironde carrier deprived of emails for six days and forced to go back to paper and the telephone. But activity was only able to resume normally on December 21, two weeks later. “ We did not lose any production or data thanks to the backups we had. The customer teams have worked a lot and the main consequence at this stage is invoicing delays. », breathes Nicolas Guyamier. Shaken by this episode, the leader learned three lessons:

“we are going to internalize everything related to the installation of our equipment, we have tripled our security procedures and we will make more physical backups on external hard drives, this is clearly what saved us by avoiding data loss ! »

An increase in threats Despite these two major attacks in quick succession, Guy Flament does not see a coordinated plan: “ The concomitance of these two cyberattacks seems purely circumstantial to me but it reflects the underlying trend which is an increase in threats and malicious acts. We receive dozens of reports per month in Nouvelle-Aquitaine and it continues to increase.

» Joseph Veigas is not more optimistic: “ Honestly, I wouldn’t wish anyone to experience what we experienced but I fear that similar attacks will happen in other companies in the future… » An observation also supported by Martin Véron, the regional director of Anssi (National Agency for Information Systems Security), who spoke at the beginning of December during a day organized by the Department of Gironde: “ Since Covid, attacks have been more massive and random, they are much less targeted and seek to attack the most vulnerable public or private structures. International tensions and the Paris 2024 Olympic Games will further increase the risk in 2024.

»

» allowing all VSEs and SMEs to obtain a diagnosis of their vulnerability to cyberattacks. 200 diagnosticians have already been trained.