Ransomware Attack on Swiss Government Vendor Leads to Massive Data Leak
Switzerland has confirmed that sensitive government data was stolen and leaked in a ransomware attack that targeted Radix, a non-profit organization contracted by several federal offices. The breach, linked to the Sarcoma ransomware group, has once again spotlighted the vulnerabilities of third-party service providers supporting public sector operations.
“Radix’s customers include various federal offices. The data has been published on the dark web and will now be analyzed by the relevant offices,”
said the Swiss government in an official statement.
The country’s National Cyber Security Centre (NCSC) is now involved in assessing the scope of the breach and identifying affected agencies.
How the Attack Unfolded
Radix, based in Zurich, focuses on public health promotion and manages eight competence centers that implement projects for both government and private sectors. The breach occurred on June 16, when Sarcoma ransomware affiliates compromised Radix’s systems, gaining access to their internal network.
Sarcoma, an aggressive ransomware group first identified in October 2024, has quickly built a reputation for its rapid deployment tactics. The group’s attack method typically involves:
- Phishing emails and social engineering
- Exploiting unpatched software vulnerabilities
- Leveraging Remote Desktop Protocol (RDP) access
- Lateral movement and data exfiltration
- Data encryption and extortion
In Radix’s case, the attackers stole data and encrypted systems before uploading a 1.3TB archive to their dark web leak site on June 29, suggesting that extortion negotiations failed.
What the Leaked Data Contains
The stolen archive reportedly includes:
- Government documents
- Financial records
- Contracts
- Internal communications
- Scans of sensitive documents
Although Radix claims there is no current evidence that partner organizations’ most sensitive data has been compromised, the massive leak is being offered freely on the threat actor’s leak portal.
The breach is especially concerning given Radix’s work with Swiss federal, cantonal, and municipal agencies. Authorities are still reviewing the material to determine whether government-held or citizen-specific records have been compromised.
“The foundation Radix has been targeted by a ransomware attack, during which data was stolen and encrypted,”
confirmed the Swiss government.
Sarcoma’s Rising Profile in the Ransomware Landscape
Sarcoma is among a new generation of ransomware-as-a-service (RaaS) groups leveraging classic but effective techniques. In its first month alone, it claimed 36 victims, including electronics manufacturer Unimicron. Its operations reflect a growing trend of supply chain exploitation where attackers breach trusted third-party vendors to access high-value targets indirectly.
The leak from Radix follows a similar third-party incident in March 2024, when software provider Xplain was compromised by the Play ransomware group, resulting in the exposure of 65,000 sensitive government files.
These incidents highlight how public institutions—even those operating within secure national environments—remain vulnerable when outsourcing critical services.
Mitigation, Notification, and the Road Ahead
Radix says it has notified affected individuals and is advising them to monitor their accounts and be cautious of phishing attempts and identity fraud. It also clarified that all individuals potentially affected have received personalized alerts.
For now, investigators from the NCSC are working to verify which datasets were published and whether federal offices are at direct risk. The situation is developing, and further disclosures may follow.
As ransomware groups continue exploiting indirect entry points like third-party vendors, the importance of immutable backup infrastructure and zero-trust architectures cannot be overstated. Maintaining cyber resilience requires not just secure primary systems, but robust data recovery options when prevention fails.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
