Cyber Incident Victim: M+R Spedag Group
Date:
Apr 2022
Location:
Switzerland
Summary
A Swiss logistics firm suffered a ransomware attack using the Blackbyte variant, with attackers exploiting a publicly accessible system through specific ports or protocols to infiltrate the network. The intrusion was detected shortly after 4 PM on a Thursday, prompting immediate containment efforts that prevented full data encryption. By the following Monday, 90% of systems were restored using recent backups, and the vulnerability was closed. Approximately 8 GB of internal data—including customer orders, billing records, dispatch notices, and operational planning documents—appeared on dark web forums. No ransom demand was received by the company, which reported the incident to authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 21, 2022, at approximately 4:00 PM, M+R Spedag Group detected a ransomware attack against its systems. The Switzerland-based logistics company, which reported 1,800 employees and 760 million Swiss francs in revenue for 2020, identified unauthorized access through a publicly exposed system interface. Attackers exploited specific ports or protocols to deploy Blackbyte ransomware, a strain previously used against US organizations including the San Francisco 49ers football team. Company CEO Boris Lukic stated their security team recognized the intrusion within hours and initiated immediate containment measures. Critical response actions included disconnecting affected systems from the network, closing the identified entry point, and restoring operations from recent backups.
The incident resulted in the exfiltration of approximately 8 GB of corporate data subsequently published on dark web platforms. Compromised information included historical and current business records spanning customer orders, billing documents, shipment notifications, dispatch records, and operational planning materials related to 2020 short-time work arrangements. Despite data theft, the company confirmed no full-scale encryption of its systems occurred due to rapid containment efforts. By April 25, 2022—four days post-detection—90% of affected systems had been restored to operational status using existing backup infrastructure. M+R Spedag reported no direct ransom demand from threat actors and formally notified law enforcement authorities regarding the breach. The organization declined to disclose technical specifics of the vulnerability or investigation details while remediation remained ongoing.