TL;DR
- Immediate network isolation is critical when ransomware is suspected—cutting connections aggressively is safer than attempting quick fixes while the attack scope remains unknown.
- Hospital recovery is not simply rebooting servers; clinical dependencies like patient identity systems, lab interfaces, and pharmacy workflows must be restored in careful sequence to maintain patient safety.
- ANSSI responders identified the attack signature and patient zero within 30 minutes, demonstrating how external incident response expertise dramatically accelerates crisis clarity.
- Full recovery took approximately one month for essential functions, with complete infrastructure reconstruction requiring years—far exceeding leadership's initial one-week expectations.
- Post-crisis security transformation included EDR deployment, mandatory security reviews for all projects, regular crisis simulations, and a cultural shift where all staff actively report suspicious activity.
This compelling episode of the STRIVE podcast presents a first-hand account of a ransomware attack on a French hospital group, told by Guillaume, an infrastructure manager who lived through the crisis. The attack struck on a Sunday morning while Guillaume was on vacation, beginning with frantic calls from colleagues reporting widespread server failures and strangely renamed files across the environment. What initially seemed like a backup problem quickly revealed itself as a full-scale ransomware incident affecting approximately 300 servers across a four-hospital territory group. The conversation provides an unfiltered look at the chaos of the first hours: the initial shock and disbelief, the critical decision to immediately isolate the network rather than attempt quick fixes, and the challenge of organizing panicked team members into functional roles. Guillaume describes the emotional toll of maintaining composure while discovering each new layer of damage, noting the constant urge to scream that had to be suppressed to effectively lead the response. A pivotal moment came when ANSSI (France's national cybersecurity agency) responders arrived and within 15-30 minutes identified the attack signature, located patient zero, and established a clean restoration timeline. The episode details the painstaking recovery process: validating that backups were uncompromised, ensuring servers were malware-free before restoration, and critically, coordinating with clinical departments to maintain patient safety during degraded operations. Laboratory systems, pharmacy interfaces, and patient identity management all required careful sequencing. The financial and operational impact extended far beyond IT: cancelled chemotherapy appointments, patient diversions to other hospitals, and a full month before essential functions resumed—with complete reconstruction taking years. Post-crisis improvements included mandatory security reviews for all projects, EDR deployment, regular crisis simulations validated by ANSSI, and a transformed security culture where even non-technical staff now instinctively report suspicious emails rather than clicking them.
Chapters
0:00 - Introduction and Crisis Overview
2:37 - Discovering the Attack
5:28 - Network Isolation Decision
6:28 - Crisis Management Organization
11:56 - Communication and Coordination
14:21 - Service Restoration Process
17:21 - ANSSI Response and Forensics
18:59 - Financial and Patient Impact
21:21 - Team Solidarity During Crisis
25:52 - Post-Crisis Security Improvements
Key Quotes
0:00 "Il faut vraiment se maîtriser pour ne pas hurler à chaque moment, pour ne pas hurler même sur celui à qui on a donné une fonction ou une mission et qui, dans la panique, n'arrive même pas à la faire."
5:28 "Il faut couper le réseau parce qu'en fait, on ne sait pas ce qui est en train de se passer. On ne comprend pas. On ne sait pas s'il y a des fuites."
7:02 "Est-ce qu'on va s'en sortir? Et puis, quel délai? Surtout parce que c'est un hôpital et que derrière, il y a la gestion du patient."
14:17 "Un reboot de serveur, qui est quelque chose de complètement banal dans la vie courante, là, c'est une victoire."
17:49 "Ils sont arrivés, ils ont débarqué, l'air de rien. En un quart d'heure, une demi-heure, ils savaient quel type d'attaque avec la signature du virus."
