Skip to main content

French insurance company MNH hit by RansomExx ransomware attack

By 16 February 2021No Comments

Mutuelle Nationale des Hospitaliers (MNH), an insurance company in France that caters to all public and private health professionals, was recently forced to suspend operations after a ransomware attack targeted its IT systems.

The ransomware attack took place on 5th February, forcing MNH to take its website offline save for a notice that confirmed the cyber attack. The insurance company said in the notice that the cyber attack disrupted its operations and for security reasons, it has disconnected computer systems as well as its websites and telephone platforms.

“The MNH has been undergoing a cyber attack since Friday, February 5, 2021. The computer systems have been disconnected for security reasons. Our websites (, members’ area, corresponding and elected extranets), as well as our telephone platform (3031), are temporarily unavailable,” said Gérard Vuidepot, Chairman and CEO of MNH.

On Tuesday, MNH issued an update concerning the ransomware attack, stating that the “large-scale cyberattack” had forced it to disconnect its computer network as well as all company applications. The company said that its technical teams were working round the clock to restore affected systems and to restart operations at the earliest.

“The technical teams are mobilized 24 hours a day, 7 days a week, with the help of external specialists to secure the mutual information system, the data of our members and initiate the restoration necessary to restart the activity. The restoration process is long and tedious, however the results obtained during the first stages of this project are encouraging.

“We would like to renew our apologies to our members and our partners for the inconvenience caused, and are doing everything possible to ensure that the reimbursements and services, due to our members, are again served as soon as possible,” it said.

According to information obtained by Bleeping Computer from a security researcher, hackers behind the ransomware attack are now pursuing the company with a major ransom demand, warning it not to involve law enforcement authorities, and to communicate with them via a Protonmail account.

The hackers are now demanding an authorised company personnel to upload an encrypted file that they can decrypt to prove that they are capable of decrypting company data that has been encrypted. They have also warned MNH that if the stated ransom isn’t paid within a day, then the ransom amount will be increased.

RansomExx, a renamed version of the Defray777 ransomware which has been operating since 2018, has reportedly been used by hackers to target MNH’s computer network and encrypt the company’s files. The new variant has been used frequently since June last year to target several enterprise-scale organisations. For instance, the RansomExx group has previously targeted the likes of Texas Department of Transportation, Brazilian government networks, IPG Photonics, Tyler Technologies and Konica Minolta.

According to Nikos Mantas, Incident Response Expert, Obrela Security Industries, ransomware attacks have become a full-featured “product” of the cyber-crime industry with cyber criminals employing a complete array of offensive techniques including vulnerabilities (with CVEs) that are guaranteed to spread the ransomware if successfully exploited.

“These exploits can be executed at any stage: directly hitting the web sites, cloud services, exposed management interfaces (eg VNC, RDP), or after initial compromise to further spread into the network. Today more than ever, rapid patching and remediation of vulnerability assessment findings is critical.
Most importantly a proper and goal-oriented detection and response plan with SIEM analysis and EDR/EPP agents on systems will guarantee the minimization of exposure by more than 90%,” Mantas added.


All rights reserved Teiss Recruitment Ltd.