Full Report
The threat actor Sarcoma has been held responsible for a ransomware attack on a Swiss health foundation
Analysis Summary
# Incident Report: Ransomware Attack on Swiss Health Foundation (Radix)
## Executive Summary
A ransomware attack by the Sarcoma group targeted the Swiss health foundation, Radix, resulting in the exfiltration and publication of stolen data on the dark web, including sensitive government information. While Radix detected the incident and claimed data integrity via backups, the Swiss Federation publicly contradicted the foundation's initial scope assessment, confirming government data exposure. The response involved notifying authorities, law enforcement, and affected individuals.
## Incident Details
- Discovery Date: June 16, 2025 (Date of detection/attack start)
- Incident Date: June 16, 2025 (Start of ransomware attack)
- Affected Organization: Radix (Swiss Health Foundation)
- Sector: Healthcare/Nonprofit (Handling government data)
- Geography: Zurich, Switzerland
## Timeline of Events
### Initial Access
- Date/Time: On or around June 16, 2025
- Vector: Unknown (Ransomware attack initiated)
- Details: Radix detected the ransomware attack on this date.
### Lateral Movement
- *Details Not Explicitly Provided in Source.* Attackers successfully deployed ransomware and exfiltrated data prior to detection.
### Data Exfiltration/Impact
- Date/Time: Attackers published data on June 29, 2025.
- Details: Stolen data, confirmed to include data from the Swiss Federation (government data), was published on the Sarcoma group's leak site.
### Detection & Response
- Date/Time: June 16, 2025 (Detection). Response initiated immediately.
- Details: Radix revoked access to affected data immediately upon detection and confirmed they had intact backups. Notified the Swiss Federal Office for Cybersecurity (FOCiS), the Federal Data Protection and Information Commissioner (FDPIC), Canton of Zurich Data Protection Officer, and Zurich City Police. Affected individuals were notified personally if their sensitive data was involved.
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Not explicitly detailed, but required to stage and exfiltrate data.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Not explicitly detailed.
- Credential Access: Not explicitly detailed.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed.
- Collection: Data was collected and exfiltrated prior to deployment.
- Exfiltration: Data was published on the Sarcoma ransomware group's leak site.
- Impact: Data encryption (implied by ransomware) and sensitive data exposure.
## Impact Assessment
- Financial: Not disclosed (Ransom demand status unknown).
- Data Breach: Sensitive personal data of individuals believed affected, and critically, government data from the Swiss Federation was exposed on the dark web.
- Operational: Radix stated they retained all data intact in backups, suggesting operational continuity may have been preserved, though system downtime for remediation likely occurred.
- Reputational: Significant public impact due to the confirmed breach of Swiss Federal government data handled by a foundation.
## Indicators of Compromise
- **Network indicators:** Sarcoma ransomware group leak site (Not provided/defanged).
- **File indicators:** Ransomware payload details not provided.
- **Behavioral indicators:** Data exfiltration followed by public extortion/leak.
## Response Actions
- **Containment measures:** Access to affected data was immediately revoked by Radix upon detection.
- **Eradication steps:** Investigation launched in partnership with the Swiss Federal Office for Cybersecurity.
- **Recovery actions:** Radix confirmed that all data remains intact in their backups, indicating a recovery path exists for stored information.
## Lessons Learned
- Redundant security boundaries failed to prevent initial access and data exfiltration impacting sensitive government entities who entrusted data to a third-party foundation.
- Initial impact assessment by the organization (Radix) was contradicted by external official confirmation (Swiss Federation), highlighting the difficulty in rapidly assessing true compromise scope involving shared or third-party data.
## Recommendations
- Enhance third-party risk management, particularly for entities that process sensitive government data, ensuring contractual security requirements are rigorously met and audited.
- Implement enhanced network segmentation and monitoring to detect initial access and lateral movement earlier to minimize data staging and exfiltration windows.
- Validate backup integrity and segmentation *before* an incident to ensure a rapid and verifiable path to full recovery without negotiation.