Cyber Incident Victim: Swiss General trade school (Allgemeine Gewerbeschule)
Date:
Apr 2021
Location:
Switzerland
Summary
A Swiss vocational institution experienced a ransomware attack utilizing Ryuk malware, rendering all operational servers inaccessible and disrupting data availability. Emergency measures included activating a temporary wireless network, isolating the data center, and shutting down host systems to facilitate school reopening. The incident, attributed to a malicious email attachment, prompted authorities to file a criminal complaint and notify national cybersecurity agencies. Communication with students and staff occurred via postal mail due to compromised email systems, with plans to establish an external website for inquiries. While administrative servers remained unaffected, recovery efforts focused on data restoration and mitigating operational impacts, consistent with Ryuk's pattern of targeting education and healthcare sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 9, 2021, the Allgemeine Gewerbeschule (General Trade School) in Basel-Stadt, Switzerland, experienced a ransomware attack that rendered all its servers inaccessible, preventing any data retrieval. The attack was executed using Ryuk ransomware, a type of extortion trojan known for targeting institutions like hospitals and educational establishments. Initial investigations indicated the infection likely originated from an email attachment that was accidentally opened, suggesting a phishing vector. Upon discovery, the school’s IT infrastructure was immediately isolated—host systems were completely shut down, and the data center was segmented to contain the spread. To maintain operational continuity for the scheduled school reopening the following Monday, authorities activated a temporary WLAN network independent of the compromised systems. The Canton of Basel-Stadt Education Department filed a criminal complaint against unidentified perpetrators and formally reported the incident to Switzerland’s National Center for Cybersecurity.
The attack disrupted all email systems, forcing the school to communicate critical information about the incident to learners and teachers via postal mail. Plans were established to launch an external website at the start of the school term to field inquiries, as internal communication channels remained inoperable. IT teams from both the canton and the Education Department prioritized data recovery efforts, though the extent of salvageable data remained undetermined at the time of reporting. Notably, the school administration’s servers were confirmed unaffected, limiting the breach’s scope to educational and operational systems directly supporting teaching activities. Restoration work focused on rebuilding infrastructure while assessing the ransomware’s full impact on academic data and services. No explicit details regarding data exfiltration, ransom demands, or financial losses were disclosed in available reports.