Cyber Incident Victim: municipality of Rüegsau
Date:
May 2023
Location:
Switzerland
Summary
A ransomware attack targeted IT service provider Unico Data AG, disrupting operations for numerous clients including the municipality of Rüegsau, where administrative systems were forced offline. The Play ransomware group claimed responsibility, encrypting data during a weekend intrusion detected overnight. Multiple organizations faced severe consequences: cinema chain Pathé suspended online ticket sales, manufacturer PB Swiss Tools maintained production only through shift work, and healthcare provider Siloah-Gruppe prioritized patient safety while testing restored systems. Unico Data collaborated with authorities to gradually reactivate compromised infrastructure across affected entities, though full recovery timelines remained uncertain. The incident impacted businesses across sectors—including utilities, manufacturing, and healthcare—through Unico's managed cloud services, requiring widespread system shutdowns to contain the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 27-28, 2023, the Swiss IT service provider Unico Data AG suffered a ransomware attack attributed to the cybercriminal group Play, identified by the ".play" file extension left on encrypted systems. The attack occurred during the Pentecost weekend, with Unico Data's IT team detecting malicious activity overnight between Saturday and Sunday. Play, known for previous attacks on entities like Xplain AG and media companies NZZ and CH Media, typically executed encryption outside business hours to maximize disruption. Unico Data immediately shut down all affected systems to contain the breach, including cloud-based SaaS platforms hosted in their Münsingen data center. This precautionary measure caused widespread service outages for over 100 clients, primarily small-to-medium Bernese businesses and public institutions relying on Unico Data's managed IT services. The company initiated recovery efforts in coordination with Swiss authorities but could not provide a timeline for full restoration, noting email communications remained temporarily inoperable.
The incident severely impacted multiple Unico Data clients across sectors. Pathé cinemas suspended online ticket sales at all seven Swiss locations, while tool manufacturer PB Swiss Tools maintained limited production through manual processes despite IT failures. The Municipality of Rüegsau experienced complete administrative system failure, forcing officials to announce an indefinite disruption to municipal services on May 30. Healthcare provider Siloah Group, operating 95 hospital and 270 nursing home beds across Bern, disabled IT systems as a precaution but confirmed patient safety was unaffected through manual protocols before beginning system testing. Additional affected organizations included electrical engineering firm Boess Group (13 sites), Rugenbräu brewery, Depot Zollikofen logistics center, and other Bern-region entities. Play publicly taunted Unico Data on their darknet leak site by June 2, implying potential data exfiltration though no explicit theft claims were verified. Unico Data prioritized gradual system restoration over weeks rather than immediate full recovery, with CEO Vince Lehmann publicly acknowledging the ransomware attack while urging patience from impacted clients. Operational disruptions persisted across victim organizations for multiple weeks as recovery efforts continued.