Cyber Incident Victim: Canton of Bern
Date:
May 2023
Location:
Switzerland
Summary
A ransomware attack targeted Bern-based IT service provider Unico Data AG, disrupting operations for numerous clients including Pathé cinemas (halting online ticket sales), PB Swiss Tools (maintaining production via shift work), the municipality of Rüegsau (administrative systems offline), Boess Group, Rugenbräu brewery, and healthcare provider Siloah Group. The Play ransomware gang claimed responsibility, having previously attacked other Swiss entities, and executed the encryption attack during off-hours, detected over a weekend. Unico Data shut down all cloud-based SaaS systems, forcing clients into manual processes while restoration efforts coordinated with authorities progressed incrementally. Patient safety at Siloah remained unaffected despite IT testing delays. The incident impacted small-to-medium businesses and larger organizations across multiple sectors reliant on the provider's managed services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A ransomware attack targeting Bern-based IT service provider Unico Data AG began over the Pentecost weekend in May 2023, with intrusion activities detected during the night of May 27-28. The Play ransomware gang, identifiable by their characteristic ".play" file extensions on encrypted data, executed the attack outside business hours—a known tactic of this group previously linked to breaches at Xplain AG, NZZ, and CH Media. Unico Data immediately shut down all cloud-based SaaS systems hosted in their Münsingen data center upon discovering the compromise, affecting over 100 primarily Bern-region clients spanning small-to-medium businesses and larger institutions. The shutdown caused cascading operational disruptions across multiple sectors: Pathé Switzerland suspended online ticket sales at cinemas in Basel, Bern, Dietlikon, Ebikon, Geneva, Lausanne, and Spreitenbach; PB Swiss Tools implemented emergency shift production protocols; and the municipal administration of Rüegsau lost all IT functionality. Medical provider Siloah Group (870 employees across 95 hospital beds and 270 nursing home beds) maintained patient safety through manual processes despite system outages, while engineering firm Boess Group (13 Swiss locations) and brewer Rugenbräu AG faced partial service interruptions.
Unico Data initiated containment measures in coordination with Swiss authorities, issuing public updates about ongoing system restoration efforts while warning clients that email communications remained disrupted and full recovery timelines were indeterminate. By June 2, Play published taunting messages on their darknet leak site, confirming data exfiltration alongside the encryption attack. Affected organizations implemented contingency plans—Siloah began testing reactivated systems within days, PB Swiss Tools appealed for customer patience during manual order processing, and Rüegsau officials anticipated weeks-long phased system restorations. The incident exposed vulnerabilities in regional MSP supply chains, with geographically concentrated clients including healthcare providers, manufacturers, municipal services, and entertainment venues suffering prolonged downtime from a single-point-of-failure compromise. No ransomware payment details or final recovery status were disclosed in available reports.