Cyber Incident Victim: Regionale Verkehrsbetriebe Baden-Wettingen
Date:
Mar 2025
Location:
Switzerland
Summary
RVBW reported a Play ransomware attack that encrypted some internal data but left customer and subscription information untouched and did not affect bus service. The operator isolated its IT network, cut external links, scanned all computers, and noted temporary glitches in digital stop displays and office systems that were fixed within a day. It refused the ransom, complied with the new critical‑infrastructure reporting obligation, and is collaborating with police to investigate the intrusion and strengthen defenses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 21, 2025, the RVBW detected unusual activity in its IT infrastructure. Immediately after detection, the organization isolated its entire IT infrastructure and severed external connections. Security checks were performed on all computers. The exact entry point of the attack is currently under analysis. On April 2, 2025, the ransomware group Play publicly claimed responsibility for the attack on RVBW. The attackers had issued a ransom demand and also made telephone contact. RVBW stated that it did not comply with the demand and rejected any form of extortion.
The attack resulted in partial encryption of data on RVBW systems. RVBW emphasized that no customer or subscriber data were affected, noting that subscriber information is not stored on its systems. The cyber incident did not disrupt the bus service, and vehicles continued to run according to the scheduled timetable. Ticket and subscription sales at the customer center remained unaffected. Digital information displays at several bus stops temporarily ceased to function. Office and control‑center operations experienced system restrictions that were resolved within 24 hours. As a critical infrastructure operator, RVBW is subject to the new mandatory reporting obligation for cyber incidents that entered into force on April 1, 2025. The organization is already exchanging information with the Federal Criminal Police regarding the incident.
RVBW employs 227 staff members and, according to 2023 figures, transported 15 million passengers on its bus network. The Play ransomware group is known internationally and has previously carried out attacks on the Swiss security firm Xplain as well as on the media companies NZZ and CH Media. In its dark‑web announcement, the group claimed to have exfiltrated confidential data, customer documents, accounting records, identification papers, financial information and other material. The size of the allegedly stolen data set has not been disclosed by the attackers. The ultimatum set by the group for the publication of the claimed data is still ongoing.