Unico Data has fallen victim to a ransomware attack

Berne-based IT service provider Unico Data has fallen victim to a cyberattack. The company’s systems have been offline since the Pentecost weekend. The Play hacker group may be behind the ransomware attack.

Nothing has worked for Unico Data since last weekend. CEO Vince Lehmann said at a press conference that the Bern-based IT services provider has fallen victim to a ransomware attack.

The company observed the attack on the night of May 27-28. As a first reaction, Unico Data shut down all IT systems. About 100 customers of the IT service provider are also affected by the outage. These are mainly small and medium enterprises and at least one municipality, Lehmann said. In fact, Rogso Municipality reported on its website that the IT system was down.

At this point in time, there are still many unanswered questions. For example, Unico Data cannot rule out data leaks. “There was above average interaction at the network layer for a while during the attack,” the CEO admits. The company called the National Cyber ​​Security Center (NCSC) and the Police Digital Crime Department to investigate the incident. As a precaution, Unico Data has also notified the Federal Data and Information Protection Commissioner (FDPIC).

The clues lead to Play

No ransom demand has been received yet. There is also still speculation about the identity of the attackers: according to Lehmann, the ends of the encrypted files point to the Play hacker gang. The same group has also been extorting NZZ and CH Media in recent weeks and the municipality of Saxon Valais, as you can read here.

After all, it is said that not much data was lost in the attack. “We’re doing very well when it comes to backups,” Lehmann said. Very little time has elapsed between the last backup and the high profile activities; In addition, all restorations have been successful so far. “Data loss is minimal for all of our customers,” Lyman sums up.

The CEO also praised his company’s clients, saying, “We have been communicating proactively and extensively since day one. We feel a very high level of collaboration with clients.” The focus right now is on a quick and safe recovery. How long this will continue is not yet clear. “Right now we’ve disconnected the entire data center from the grid. We’re not going to connect it again until we’re sure we’re allowed to.”

If you would like to read more about cybercrime and cyber security, Subscribe to the Swisscybersecurity.net newsletter here. On the portal you can read daily news about current threats and new defense strategies.