Cyber Incident Victim: Lüchinger + Schmid AG
Date:
Mar 2022
Location:
Switzerland
Summary
A ransomware group identified as SunCrypt compromised the systems of Lüchinger + Schmid AG, a subsidiary of Migros, stealing data and threatening public release to pressure the parent company into paying a ransom. The attackers leveraged Migros's prominence to amplify publicity and reputational damage, though the subsidiary's operations remained unaffected and no ransom was paid. While SunCrypt has historically employed tactics like direct extortion calls and DDoS attacks, these were not observed in this incident. The breach was reported to national cybersecurity authorities, and Migros initiated legal proceedings against the perpetrators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early March 2022, the Swiss egg producer Lüchinger + Schmid AG—a subsidiary of Migros-owned food manufacturer Micarna—experienced a ransomware attack executed by the cybercriminal group SunCrypt. The attackers exfiltrated company data and subsequently published a portion of it on their dark web leak site, accompanied by threats to release additional information unless ransom negotiations succeeded. SunCrypt attempted to amplify pressure by framing the incident as a direct attack on Migros in public communications, despite Migros confirming its independent IT infrastructure remained uncompromised. The threat actors leveraged Migros’ brand prominence to attract media attention, a tactic consistent with ransomware groups seeking to inflict reputational damage and coerce payments. Operational continuity at Lüchinger + Schmid was maintained throughout the incident, with Migros characterizing the overall damage as limited. No disruptive actions such as DDoS attacks or direct phone threats—tactics SunCrypt has employed elsewhere—materialized in this case.
Migros explicitly refused ransom demands, stating, “The Migros does not pay ransoms,” a decision corroborated by SunCrypt’s partial data publication. The parent company notified Switzerland’s National Centre for Cybersecurity (NCSC) and announced intentions to file a criminal complaint. SunCrypt, first observed in 2019 and ranked among the top ten most active ransomware groups by Coveware in late 2021, had previously claimed affiliations with the Maze cartel—though these assertions remained unverified. The group’s leak site postings referenced potential GDPR penalties to intensify pressure, aligning with broader ransomware trends of exploiting regulatory consequences. Historical parallels included similar false claims by Lockbit 2.0 against the French Justice Ministry and Schneider Electric, where leaked data originated from suppliers rather than the named entities. Migros’ transparency regarding the subsidiary-specific breach and its coordinated response with authorities concluded the incident without further escalation.