Cyber Incident Victim: Pathé
Date:
May 2023
Location:
Switzerland
Summary
A ransomware attack targeted Swiss IT service provider Unico Data, disrupting operations for multiple clients including cinema chain Pathé, which suspended online ticket sales. The Play ransomware group claimed responsibility, encrypting data during a holiday weekend and forcing Unico to shut down all cloud-based systems, causing widespread email outages and service limitations across affected organizations. Clients such as PB Swiss Tools, Boess-Gruppe, and healthcare provider Siloah-Gruppe experienced production delays and administrative paralysis, though critical patient safety remained unaffected. Recovery efforts involved gradual system restorations coordinated with authorities, with no confirmed timeline for full restoration at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A ransomware attack targeting Swiss IT service provider Unico Data AG caused widespread disruptions to multiple clients, including cinema chain Pathé Suisse, beginning on May 27-28, 2023. The Play ransomware group encrypted systems during the Pentecost weekend, with Unico Data's IT team detecting the intrusion overnight between Saturday, May 27 and Sunday, May 28. The Bern-based managed service provider, supporting over 100 small-to-medium sized clients primarily in the Bern region, immediately shut down all cloud-based SaaS systems to contain the attack. This precautionary measure triggered cascading outages across Unico Data's client network, with critical IT infrastructure becoming unavailable. Pathé Suisse announced the suspension of online ticket sales across its seven Swiss locations and reported email communication failures, though physical cinema operations continued unaffected. The company stated system restoration was underway with authorities but provided no timeline for full recovery.
Multiple organizations experienced severe operational impacts from the attack. Tool manufacturer PB Swiss Tools maintained limited production through shift work but faced unspecified constraints. The municipal administration of Rüegsau had its computer systems completely offline, forcing residents to wait weeks for restored services. Engineering firm Boess-Gruppe (13 Swiss locations), brewery Rugenbräu AG, Depot Zollikofen, and healthcare provider Siloah-Gruppe also reported significant IT disruptions. Siloah-Gruppe, operating 95 hospital beds and 270 nursing home beds, prioritized patient safety while testing systems, with 870 employees adapting workflows manually. Unico Data's CEO Vince Lehmann confirmed the ransomware nature of the attack, evidenced by the ".play" file extensions left on encrypted data. The Play group publicly taunted victims on their darknet leak site by June 2, though no specific data theft claims appeared in initial reports. Restoration efforts proceeded incrementally, with Unico Data gradually reactivating client systems over subsequent days and weeks while coordinating with law enforcement.