Cyber Incident Victim: CH Media
Date:
Mar 2023
Location:
Switzerland
Summary
A Switzerland-based media firm experienced a ransomware attack impacting multiple services across its newspaper, magazine, and broadcasting operations. The Play ransomware group claimed responsibility, threatening to release stolen personal and confidential data, internal projects, and employee payroll information unless ransom demands were met. The company publicly acknowledged the incident and the potential exposure of sensitive materials but did not disclose whether negotiations occurred or if data was ultimately leaked.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2023, Switzerland-based media conglomerate CH Media experienced a ransomware attack affecting several of its services, including newspapers, magazines, private radio stations, and television channels. The Play ransomware group claimed responsibility for the attack and threatened to publicly release stolen data unless CH Media met its ransom demands by April 24. The group specifically asserted it had obtained personal and confidential data, internal company projects, and employee payroll information. CH Media publicly confirmed the attack in March but did not disclose the initial intrusion vector, specific timeline of system compromises, or operational disruptions caused by the incident. The company’s acknowledgment focused on the broad impact across its media divisions without detailing technical aspects of the attack, such as compromised systems or data encryption methods used by the threat actors.
CH Media's response to the incident included notifying stakeholders of the ransomware attack but did not specify whether law enforcement was engaged or if external cybersecurity firms assisted in remediation. The company did not reveal whether it negotiated with the Play group or intended to pay the ransom. The threatened data release included sensitive operational documents and personally identifiable information of employees, creating potential financial fraud risks and reputational damage. As of the April 13, 2023, reporting date, no public evidence confirmed whether CH Media met the deadline or if the ransomware actors followed through on their threat to leak the data. The incident highlighted ongoing operational vulnerabilities in media organizations managing diverse digital platforms, though CH Media did not disclose whether the attack originated from compromised credentials, software vulnerabilities, or phishing tactics. The company’s post-incident communications emphasized service impacts but omitted specifics regarding data recovery efforts, security upgrades, or forensic audit outcomes.