Cyber Incident Victim: Boess Gruppe

On May 27-28, 2023, the ransomware group "Play" attacked Swiss IT service provider Unico Data AG during the Pentecost weekend, exploiting off-hours to encrypt client systems. Unico Data detected the intrusion overnight between Saturday, May 27, and Sunday, May 28, forcing an immediate shutdown of all cloud-based SaaS systems hosted at their Münsingen data center to contain the breach. The attackers left encrypted files with the ".play" extension, confirming their affiliation with the cybercrime group previously linked to attacks on Xplain AG, NZZ, and CH Media. Unico Data's CEO Vince Lehmann publicly acknowledged the ransomware incident, collaborating with authorities on system restoration while suspending all email communications. By June 2, Play claimed responsibility on their darknet leak site, taunting victims with threats to publish stolen data.

The attack disrupted over 100 small-to-midsize clients across Bern and Switzerland, including the Boess Gruppe, a Bern-based electrical engineering firm operating 13 nationwide locations. Critical impacts included Pathé cinemas suspending online ticket sales at seven Swiss locations, PB Swiss Tools maintaining limited production under manual processes, and the Rüegsau municipal administration losing all IT systems. Medical provider Siloah-Gruppe—serving 870 staff and 365 hospital/nursing beds—disabled systems but maintained patient safety through manual protocols while testing partial restorations. Additional victims included Rugenbräu brewery, Depot Zollikofen, and other Bern-region businesses reliant on Unico Data's cloud services. Unico Data initiated phased system recoveries over subsequent days and weeks but provided no timeline for full restoration, citing ongoing coordination with law enforcement and forensic investigators. Operational disruptions persisted across multiple sectors as clients implemented contingency measures pending IT recovery.