Cyber Incident Victim: Rugenbräu AG
Date:
May 2023
Location:
Switzerland
Summary
A ransomware attack targeted IT service provider Unico Data AG, impacting numerous clients including Rugenbräu AG, which faced operational disruptions alongside entities such as Pathé cinemas (halting online ticket sales), PB Swiss Tools (maintaining reduced production), the municipality of Rüegsau (disabled administrative systems), the Boess Group, and Siloah Group healthcare facilities (patient care unaffected but IT systems undergoing testing). The Play ransomware group claimed responsibility, initiating encryption during off-hours over a holiday weekend, detected by Unico Data during late-night hours. The attack forced widespread shutdowns of hosted cloud services, causing service limitations across affected organizations. Recovery efforts coordinated with authorities are ongoing, but restoration timelines remain uncertain as systems are gradually reactivated.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 27-28, 2023, Swiss IT managed service provider Unico Data AG suffered a ransomware attack attributed to the Play cybercrime group. The intrusion occurred during the Pentecost weekend, with Unico Data's IT team detecting malicious activity in the overnight hours between Saturday and Sunday. Attackers encrypted systems using the ".play" file extension signature, forcing Unico Data to shut down all cloud-based SaaS infrastructure serving its 100+ clients—primarily Bern-region SMEs and institutions. Immediate operational impacts spread across multiple sectors: Cinema chain Pathé Switzerland suspended online ticket sales at all seven locations, PB Swiss Tools implemented emergency production shifts at its Emmental manufacturing site, and the Rüegsau municipal administration lost all IT functionality. Rugenbräu AG brewery in Interlaken and logistics firm Depot Zollikofen experienced severe service limitations, while medical provider Siloah-Gruppe disabled systems across its 95 hospital beds and 270 nursing home beds, though patient care continued through manual protocols.
Unico Data confirmed the ransomware attack publicly by May 28 and initiated containment measures in coordination with Swiss authorities. The company's email systems remained offline throughout the initial response phase, with recovery timelines unspecified. By June 2, the Play group taunted victims via their darknet leak site, though no explicit ransom demands were disclosed in available reports. Affected organizations deployed contingency plans—Siloah-Gruppe began system testing while PB Swiss Tools appealed for customer patience. Unico Data prioritized gradual reactivation of client systems over "days and weeks," with Pathé's online sales still disrupted at the time of reporting. The incident exposed critical dependencies among Bernese SMEs on centralized MSP infrastructure, with at least eight major clients confirming operational disruptions spanning healthcare, manufacturing, entertainment, and public administration sectors.