Attack alert: lockbit5 targets felixvet.com - FR

Introduction

On December 7, 2025, the Parisian veterinary clinic felixvet.com joined the list of victims of the Lockbit5 ransomware group, marking a new offensive against the healthcare sector in France. This cyberattack, certified on the Polygon blockchain via the XC-Audit protocol, exposed a small animal health practice (1 to 10 employees) to the risks inherent in the compromise of medical and financial data. Classified at SIGNAL level according to our XC-Classify system, this intrusion illustrates the growing vulnerability of local healthcare facilities to malicious actors operating according to the Ransomware-as-a-Service (RaaS) model. The incident occurred in a context where veterinary practices, often under-equipped in terms of cybersecurity, are becoming prime targets for the exfiltration of sensitive data.

The attack against felixvet.com is part of a worrying trend: the increasing number of breaches targeting small healthcare facilities, which are particularly vulnerable to sophisticated intrusion techniques. Veterinary clinics, which simultaneously manage animal medical records, client information, and payment systems, are attractive targets for cybercriminals. This recent attack in December 2025 demonstrates that Lockbit5 does not discriminate based on the size of the targeted organization, prioritizing the opportunity to gain access to systems rather than the size of the victim. The blockchain certification of this incident guarantees immutable traceability, allowing authorities and cybersecurity professionals to precisely document this compromise and strengthen the sector's defenses.

Analyse détaillée

The Lockbit5 group operates according to the Ransomware-as-a-Service (RaaS) model, a criminal architecture that allows affiliates to deploy attacks under a franchise. Active in 2025, this cybercriminal collective perpetuates the legacy of previous generations of Lockbit, continually adapting its tactics to bypass modern defenses. The typical modus operandi combines initial vulnerability reconnaissance, access via targeted phishing or exploitation of unpatched flaws, and then deployment of ransomware to encrypt critical digital assets.

→ Full Analysis of the Lockbit5 Group

Lockbit5 affiliates favor a double extortion tactic: data encryption coupled with the prior exfiltration of sensitive information, creating maximum pressure on victims. Their TTPs (Tactics, Techniques, and Procedures) include persistence via compromised administrative accounts, the use of legitimate tools hijacked from their source (living-off-the-land), and the disabling of security solutions before final deployment. The group targets all sectors indiscriminately, from critical infrastructure to SMEs, as demonstrated by the attack against felixvet.com. Previous victims of the Lockbit network (across all generations) include healthcare facilities, financial institutions, and industrial companies worldwide, with ransom demands varying according to the target's estimated ability to pay.

The felixvet.com veterinary clinic is a small Parisian animal health practice, employing between 1 and 10 people. Positioned in the healthcare sector, this organization manages sensitive veterinary medical data daily, including treatment histories, prescriptions, and diagnostic test results. Based in France, the entity operates within a strict regulatory environment that mandates the protection of clients' personal data and the security of payment information.

The small size of felixvet.com, typical of local veterinary clinics, generally means limited resources dedicated to cybersecurity. These practices naturally prioritize investment in medical equipment and veterinary expertise over secure IT infrastructure. The Parisian clinic processes client information, including contact details, consultation histories, and bank details for payments, creating a data ecosystem attractive to cybercriminals. The compromise of such a structure directly impacts the trust of pet owners, a fundamental element for a local service business. The potential impact extends to regulatory notification obligations, technical remediation costs, and reputational consequences in a competitive local market.

The technical analysis of the incident reveals a SIGNAL-level classification according to our XC-Classify system, indicating early detection of malicious activity without formal confirmation of a massive data breach. This level of exposure suggests that felixvet.com is on the lockbit5 claim list, without necessarily implying that all systems were compromised or that significant volumes of data were exfiltrated.

The data potentially exposed in a veterinary clinic typically includes animal medical records (diagnoses, treatments, vaccinations), client information (identity, contact details, visit history), and financial data (payment methods, invoices). For a practice with 1 to 10 employees, the total volume is generally a few gigabytes, but it includes sensitive personal information as defined by the GDPR. The incident timeline begins with the discovery on December 7, 2025, the date it was listed on the lockbit5 claim platforms.

→ Understanding XC Criticality Levels

The initial attack vector is still under investigation, but compromises of small healthcare facilities frequently result from targeted phishing emails aimed at administrative staff, or the exploitation of unpatched vulnerabilities in internet-exposed systems (email servers, outdated VPN connections). The associated risks primarily concern the confidentiality of customer data, the availability of medical record management systems, and the integrity of animal health information. The lack of robust encryption of data at rest and the potential weakness of authentication mechanisms are typical aggravating factors for this type of organization.

The attack against felixvet.com illustrates the specific risks facing the healthcare sector in France, encompassing both human and animal health. Veterinary practices handle sensitive personal data as defined by the General Data Protection Regulation (GDPR), exposing them to the same obligations as traditional medical facilities. The compromise of animal medical records indirectly reveals information about owners, creating a risk of privacy breaches.

French regulations require healthcare organizations of all sizes to notify the CNIL (National Commission for Information Technology and Civil Liberties) within 72 hours of discovering a personal data breach. For felixvet.com, this obligation potentially includes direct notification to affected clients if the risk to their rights and freedoms is high. The NIS2 Directive, transposed into French law, broadens the scope of critical entities, although very small veterinary practices generally remain outside its direct application.

The consequences for similar businesses in the sector include increased awareness of the vulnerability of veterinary business systems, often developed without prioritizing cybersecurity. Past experience in the sector demonstrates that compromised clinics suffer prolonged operational disruptions, affecting continuity of care and generating significant revenue losses. The risk of a chain reaction concerns shared IT service providers, potentially used by several veterinary practices sharing common infrastructure.

Conclusion

The certification of this attack relies on the XC-Audit protocol, guaranteeing immutable traceability via the Polygon blockchain. Each documented incident generates a unique cryptographic hash, recorded on this decentralized infrastructure, enabling public and transparent verification of data authenticity. Unlike traditional opaque, centralized, and modifiable verification systems, the Polygon blockchain offers a guarantee of permanent integrity.