Full Report
Ransomware and associated data extortion continue to pose a significant threat to organisations of all types in Switzerland. In the first half of 2025, the NCSC received 57 reports of ransomware incidents, mostly from companies and organisations. This represents a slight increase compared with the 44 incidents reported during the same period the previous year. Where the ransomware strain was identified, the majority of reports cited "Akira", with "LockBit" the next most common. One of the key challenges facing organisations is cyberattacks within the supply chain, as an attack on an IT company can also have a negative impact on its business customers.
Analysis Summary
# Incident Report: H1 2025 Swiss Ransomware Trend Analysis
## Executive Summary
The first half of 2025 saw a slight increase in reported ransomware incidents in Switzerland, with 57 reports reaching the NCSC, up from 44 the previous year, mostly impacting companies and organizations. The dominant ransomware strains identified were "Akira" and "LockBit." A significant ongoing challenge highlighted is vulnerability within the supply chain, where attacks on IT providers negatively affect their downstream business customers.
## Incident Details
- **Discovery Date:** Ongoing reporting throughout H1 2025
- **Incident Date:** First half of 2025 (January 1 to June 30, 2025)
- **Affected Organization:** Not specified (General trend across companies and organizations)
- **Sector:** Various (Primarily companies and organisations)
- **Geography:** Switzerland
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified (Occurred within H1 2025)
- **Vector:** Ransomware deployment (specific vectors leading to access are not detailed, but context suggests supply chain compromise is a vector)
- **Details:** Attacks resulted in data extortion and ransomware symptoms.
### Lateral Movement
- Information not provided in the source text.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Data extortion occurred alongside encryption/disruption by ransomware strains like Akira and LockBit.
### Detection & Response
- **How it was discovered:** Incidents were reported to the NCSC.
- **Response actions taken:** Not specified beyond the volume of reports received.
## Attack Methodology
Since the source reports on a trend rather than a single specific incident, the techniques listed below are derived from the known characteristics of the mentioned ransomware strains ("Akira" and "LockBit") and the context provided:
- **Initial Access:** Ransomware deployment, potentially via supply chain compromise (attack on an IT company).
- **Persistence:** Information not provided.
- **Privilege Escalation:** Information not provided.
- **Defense Evasion:** Information not provided.
- **Credential Access:** Information not provided.
- **Discovery:** Information not provided.
- **Lateral Movement:** Information not provided.
- **Collection:** Data exfiltration was involved (data extortion).
- **Exfiltration:** Data theft confirmed by the mention of "data extortion."
- **Impact:** System encryption/disruption (Ransomware) and data leakage (Extortion).
## Impact Assessment
- **Financial:** Not quantified, but implied significant cost due to ransomware deployment and extortion demands.
- **Data Breach:** Data exfiltration/extortion confirmed; specific data types or volume unknown.
- **Operational:** Business disruption likely occurred due to ransomware events, affecting companies and organizations.
- **Reputational:** Not specifically detailed, but inherent to ransomware events.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (No specific network indicators provided)
- **File indicators:** Presence of **Akira** ransomware or **LockBit** ransomware executables/payloads.
- **Behavioral indicators:** Systems exhibiting signs of high-volume file encryption or ransom notes being deployed.
## Response Actions
- **Containment measures:** Not specified.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified (Implied necessity following ransomware lockout).
## Lessons Learned
- Ransomware, particularly strains like Akira and LockBit, remains a primary threat vector in Switzerland.
- Supply chain attacks pose a disproportionately high risk, where a compromise in a single IT vendor can cascade negative impacts onto numerous business customers.
- The overall volume of reported ransomware incidents saw a slight, concerning increase year-over-year (57 vs. 44 reports in H1).
## Recommendations
- Organizations must rigorously assess and enhance security posture across their entire digital supply chain.
- Implement robust multi-factor authentication (MFA) and strong network segmentation to limit lateral movement should initial access occur.
- Ensure comprehensive, immutable backups are maintained off-network to facilitate recovery from encryption events without yielding to extortion demands.