Cyber Incident Victim: Siloah AG
Date:
May 2023
Location:
Switzerland
Summary
A ransomware attack targeted IT service provider Unico Data, causing widespread disruption for its numerous clients. The attack, attributed to the Play gang, encrypted systems and forced a full shutdown. Affected organizations included a cinema chain, a tool manufacturer, municipal administrations, and the healthcare provider Siloah AG, which reported impacts on its operations but ensured patient safety. The incident led to significant service interruptions, with systems being gradually restored over subsequent days and weeks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 27, 2023, the Bern-based IT service provider Unico Data AG was subjected to a ransomware attack. The intrusion was detected by the company's IT personnel during the night of Saturday, May 27, to Sunday, May 28. The attack was initiated by the cybercriminal group known as "Play," who typically launch their encryption assaults outside of standard business hours, in this instance over the Pentecost weekend. A clear indicator of their involvement was the ".play" file extension found on encrypted data, a signature consistent with this group's previous operations. The managing director of Unico Data, Vince Lehmann, subsequently confirmed to media that it was a ransomware incident. In response to the discovery, Unico Data was forced to shut down all of its systems to contain the threat.
Unico Data, operating from Münsingen with approximately 75 employees, served over 100 customers, primarily small and medium-sized businesses located in the Bern region. As a Managed Service Provider (MSP), the company offered "Software as a Service" (SaaS) solutions from its data center, meaning the attack and subsequent system shutdown had an immediate and cascading effect on its entire client base. The widespread consequences of the attack became apparent throughout the following week. Email communication from Unico Data was initially impossible, and the company could not provide a timeline for when full system functionality would be restored. Recovery efforts for the IT systems were underway in collaboration with the relevant authorities, as stated in a media release issued on Thursday after the attack.
The impact on Unico Data's customers was severe and widespread. The Pathe cinema chain was compelled to announce on its website that online ticket sales were suspended indefinitely due to the incident. This disruption affected its locations in Basel, Bern, Dietlikon, Ebikon, Geneva, Lausanne, and Spreitenbach. The Swiss tool manufacturer PB Swiss Tools, a traditional company based in Wasen im Emmental, also posted a notice on its website regarding the outage. The company's managing director, Eva Jaisli, assured customers that production could be maintained in shift operations despite the IT limitations and asked for patience.
The municipal administration of the Bernese community of Rüegsau experienced a state of emergency as its computer system, operated by Unico Data, was taken offline. The community's population was informed they would need to wait patiently until their administration was fully functional again. The managing director of Unico Data was quoted stating that the affected IT systems would be gradually restarted over the coming days and weeks. The Boess Group, a Bern-based firm specializing in electrical engineering services with 13 locations across Switzerland, also confirmed it was affected by the attack. Additional impacted organizations included the Rugenbräu AG brewery in Interlaken and the Depot Zollikofen, both of which were only reachable to a limited extent.
A significantly affected customer was the Siloah Group in Gümligen, a leading integrated provider of medical care in geriatric medicine for the Bern region and surrounding areas. The institution employs approximately 870 staff across multiple locations and operates 95 hospital beds and around 270 nursing home beds, making it one of Unico Data's largest clients. Martin Gafner, President of the Siloah Foundation Council and Chairman of the Board of Siloah AG, reported that employees had managed the difficult situation impressively and that patient safety was guaranteed at all times throughout the incident. He noted that the organization was already in the process of testing its IT systems again, indicating initial steps toward recovery.
On Friday, June 2, 2023, the Play ransomware group published a message on its data leak site within the darknet, taunting their victim. This public boasting is a common tactic employed by the group, whose previous targets have included the company Xplain AG and media organizations NZZ and CH Media. The publication of this message suggested the attackers had exfiltrated data and were threatening to release it, a standard double-extortion technique. The article provides no specific details on any ransom demand made to Unico Data or whether any payment was contemplated or made. The company continued to post updates on its own website regarding the progress of containing the cyberattack and restoring services for its clients.