Cyber Incident Victim: PB Swiss Tools

On or around May 27, 2023, the Bern-based IT service provider Unico Data AG suffered a significant ransomware attack. The company, which operates from Münsingen with approximately 75 employees and serves over 100 small and medium-sized customers primarily in the Bern region, was targeted by the cybercriminal group known as 'Play'. The attack was initiated outside of business hours over the Pentecost weekend. IT personnel at Unico Data first detected the malware attack during the night from Saturday, May 27, to Sunday, May 28. A clear indicator of the attacker's identity was the '.play' file extension found on encrypted data, a signature associated with the Play ransomware group. This same group had previously claimed attacks on other Swiss entities, including the company Xplain AG and media organizations NZZ and CH Media.

In response to the discovery, Unico Data was forced to shut down all of its IT systems to contain the breach. This action had immediate and severe consequences for its client base, which relied on Unico Data for managed services and cloud-based Software as a Service (SaaS) solutions. The company's email communication systems were rendered inoperable, and a statement on its website indicated that full restoration of services would be a prolonged process, with no specific timeline available for a return to normal operations. Unico Data stated that the recovery of its IT systems was underway and being conducted in collaboration with the relevant authorities.

The ripple effects of the attack on Unico Data's infrastructure were widespread, impacting numerous private companies and public institutions. The Swiss cinema chain Pathé was affected, necessitating a public announcement on its website that online ticket sales were suspended indefinitely across its locations in Basel, Bern, Dietlikon, Ebikon, Geneva, Lausanne, and Spreitenbach. The Swiss tool manufacturer PB Swiss Tools, based in Wasen im Emmental, also experienced disruptions. The company's CEO, Eva Jaisli, confirmed the impact and assured customers that production would be maintained in shift operations despite the challenges, while also asking for patience during the outage.

Local government services were also disrupted. The municipal administration of Rüegsau announced that its computer systems were out of operation, creating an exceptional state of affairs for the community. The administration informed residents that they would need to be patient until the systems were gradually restored over the coming days and weeks. The Boess Group, a Bern-based company specializing in electrical engineering services with 13 locations across Switzerland, confirmed it was another victim of the incident through a company representative.

Further affected entities included the Rugenbräu AG brewery in Interlaken and the Depot Zollikofen, both of which reported being only reachable to a limited extent. The Siloah Group in Gümligen, a leading integrated medical provider in geriatric medicine for the Bern region employing approximately 870 staff and operating 95 hospital beds and 270 nursing home beds, was also severely impacted. Martin Gafner, President of the Siloah Foundation and the Siloah AG board, noted that patient safety had been guaranteed at all times despite the difficult situation. He reported that employees had managed the crisis effectively and that the organization had already begun testing its IT systems again as part of the recovery process. The scale of Siloah's operations suggested it was likely one of Unico Data's largest customers.

On Friday, June 2, 2023, the Play ransomware group posted a message on its data leak site in the darknet, taunting the victims and suggesting further negative developments. This public claim followed the earlier confirmation by Unico Data's Managing Director, Vince Lehmann, to media outlets that the incident was indeed a ransomware attack. The company continued to provide updates on its website regarding the progress of containing the cyberattack and restoring services for its clients.