Cyber Incident Victim: Rüegsau
Date:
May 2023
Location:
Switzerland
Summary
A ransomware attack targeted Swiss IT service provider Unico Data, disrupting operations for multiple clients across sectors. The Play ransomware group encrypted systems during a weekend, forcing Unico to shut down its cloud-based services, which affected municipal administration in Rüegsau, cinema ticket sales for Pathé, production operations at PB Swiss Tools, and medical services provider Siloah Group—though patient safety remained intact. Other impacted entities included the Boess Group, Rugenbräu brewery, and Depot Zollikofen, with organizations resorting to temporary workarounds like shift production while systems were gradually restored. Unico collaborated with authorities to recover encrypted data, but full service restoration timelines remained unclear as the attackers taunted victims on darknet leak sites.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A ransomware attack targeting Swiss IT service provider Unico Data AG commenced over the Pentecost weekend in late May 2023, with intrusion activities detected during the overnight hours of May 27-28. The Play ransomware gang, identifiable by their characteristic ".play" file extensions on encrypted data, executed the attack outside standard business hours—a known tactic of this group previously associated with breaches at Xplain AG and major Swiss media outlets. Unico Data, which provides cloud-based Software as a Service (SaaS) and managed IT services to over 100 predominantly Bern-region clients from its Münsingen headquarters, immediately shut down all systems upon discovering the compromise. This preventative measure caused cascading outages across its customer base of small-to-medium enterprises and larger organizations, including municipal governments, healthcare providers, and industrial firms. By May 30, the attackers publicly claimed responsibility through their darknet leak site, mocking Unico Data's operational disruption.
The incident severely impacted multiple sectors through Unico Data's compromised infrastructure. Pathé cinemas suspended online ticket sales across all seven Swiss locations, while tool manufacturer PB Swiss Tools maintained reduced production through manual shift operations. The municipal administration of Rüegsau declared an IT emergency when its systems went offline, anticipating weeks-long restoration timelines. Healthcare provider Siloah Group, operating 95 hospital beds and 270 nursing home placements, maintained patient safety through manual protocols while testing partial system recoveries. Additional affected entities included engineering firm Boess Group (13 sites), brewer Rugenbräu AG, Depot Zollikofen logistics, and other undisclosed clients relying on Unico Data's cloud services. Unico Data collaborated with Swiss authorities on forensic investigations and gradual system restoration, though Thursday communications warned of indefinite email outages and refused to project full recovery dates. Operational disruptions persisted into early June as the provider prioritized secure reactivation of critical client systems over accelerated restoration.