Cyber Incident Victim: Das Team AG
Date:
Dec 2023
Location:
Switzerland
Summary
A Swiss staffing firm experienced a significant ransomware attack by the Black Basta group, suspected to have Russian ties, resulting in the theft of over 200 gigabytes of sensitive data including medical records and identity documents. The attackers leaked the stolen information on the darknet after the organization reportedly did not comply with ransom demands. Internal analysis indicated the data exfiltration was assessed as conditionally critical, and the company initiated darknet monitoring post-incident, later notifying the national data protection authority. Black Basta, linked to the disbanded Conti group and known for high-profile attacks globally, has historically extorted substantial ransoms, leveraging compromised networks for financial gain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2023, the Swiss staffing firm Das Team AG suffered a ransomware attack by the Black Basta cybercriminal group, which claimed to have exfiltrated over 200 gigabytes of company data. The Basel-headquartered firm, operating 25 branches across Switzerland and Liechtenstein, confirmed the attackers encrypted multiple network drives and gained unauthorized access to its systems. Black Basta, described as a Russian-speaking group linked to the disbanded Conti ransomware operation, publicly leaked stolen data on its darknet platform. According to forensic analysis conducted by Das Team AG, the attackers extracted sensitive information, though the company initially assessed the data breach as "conditionally critical." The leak included protected personal data such as medical records and identity document copies, accessible through Black Basta's leak site. Das Team AG detected the data publication on February 21, 2024, through darknet monitoring initiated after the initial attack. The company's delayed discovery of the leak suggests Black Basta maintained persistent access or staged the data release months after the initial compromise.
The incident triggered mandatory reporting obligations under Swiss data protection laws, prompting Das Team AG to provide preliminary notification to the Federal Data Protection Commissioner (EDÖB). The company committed to submitting detailed breach documentation following completion of its forensic analysis. Black Basta's publication of stolen data indicates Das Team AG did not comply with ransom demands, consistent with the group's pattern of leaking data from non-paying victims. Historical context shows Black Basta targeted major organizations including Swiss industrial firm ABB and TAG Aviation at Geneva Airport during 2023. Security researchers associate the group with Russian state-aligned cybercrime operations, citing leaked communications showing support for Russia's invasion of Ukraine. According to cryptocurrency transaction analyses published in November 2023, Black Basta had collected at least $107 million in ransom payments from over 90 victims since early 2022, including 18 payments exceeding $1 million. The attack exposed vulnerabilities in Das Team AG's network security while compromising sensitive applicant and employee data central to its staffing operations. No operational disruptions or encryption-related downtime were reported by the company despite the confirmed drive encryption during the attack.