Radix
Sarcoma ransomware attack on Radix leaks 1.3TB of Swiss government data, exposin...
A sophisticated ransomware attack has rocked Switzerland’s federal administration, exposing the nation’s persistent vulnerabilities to supply chain cyber threats. On June 16, 2025, the non-profit health foundation Radix, a trusted contractor for numerous Swiss federal offices, fell victim to the Sarcoma ransomware group.
The fallout: 1.3 terabytes of sensitive data—ranging from official documents to private correspondence—now circulating on the dark web, and a government facing urgent questions about third-party risk management.
## Anatomy of the Attack
### Sarcoma Group—A Rising Threat
Sarcoma, first detected in late 2024, has rapidly evolved into a formidable cybercrime collective, specializing in double extortion attacks. Unlike traditional ransomware, Sarcoma’s operations blend data encryption with large-scale data theft, leveraging the threat of public leaks to pressure victims.
The group’s tactics are highly targeted, relying on spear-phishing, exploitation of unpatched software, and lateral movement through remote access tools and credential theft.
### Breaching Radix—Entry, Exfiltration, and Extortion
Radix, based in Zurich, manages health and administrative projects for federal, cantonal, and municipal authorities. On June 16, Sarcoma infiltrated Radix’s systems, exfiltrated a massive trove of data, and encrypted internal files.
When Radix refused to pay the ransom, Sarcoma published the stolen data—spanning financial records, contracts, and sensitive communications—on its dark web leak portal on June 29.
## Scale and Impact of the Data Leak
### Federal Data in the Crosshairs
Although Radix operates independently and holds no direct access to government IT systems, the breach’s impact is significant. As a contractor serving various federal offices, Radix stored and processed government data, now confirmed by Swiss authorities to have been leaked. The National Cyber Security Centre (NCSC) is leading the analysis to determine which agencies and datasets are affected, but the sheer volume—1.3TB—underscores the magnitude of the exposure.
### What Was Exposed?
The leaked archives reportedly include:
- Scans of official documents and IDs
- Financial statements and contracts
- Private correspondence and internal communications
- Potentially, the personal data of individuals involved in government projects
While Radix has notified affected individuals and maintains that there is no evidence of partner organization data being compromised, the investigation is ongoing, and the risk of phishing, fraud, and identity theft remains high.
## Supply Chain Attacks—A Recurring Swiss Vulnerability
### Not an Isolated Incident
This breach follows a troubling pattern in Switzerland. In 2024, a ransomware attack on Xplain, another government IT contractor, led to the leak of over 65,000 sensitive documents, including classified files and login credentials for federal agencies. These incidents highlight how attackers increasingly target third-party suppliers to circumvent direct government defenses.
### Double Extortion and Public Leaks
Sarcoma’s modus operandi—double extortion—mirrors a broader shift in ransomware strategy. By exfiltrating data before encryption, attackers gain leverage: even if victims refuse to pay, the threat of public exposure persists.
In Radix’s case, the refusal to pay led directly to the publication of the data, amplifying the breach’s consequences and complicating the incident response.
## Swiss Response and Lessons for the Future
### Immediate Actions and Ongoing Investigation.
The NCSC, in coordination with Radix, law enforcement, and affected federal units, is conducting a comprehensive review to map the full extent of the breach. Authorities have urged vigilance, warning of increased phishing attempts leveraging leaked data. Radix has pledged transparency and is working to inform all individuals who may be potentially impacted.
## Urgent Need for Supply Chain Security
This incident underscores the critical importance of robust third-party risk management in government IT. As cybercriminals increasingly exploit supply chain weaknesses, Swiss authorities—and governments worldwide—face mounting pressure to enforce stricter security standards, conduct regular audits, and ensure rapid incident detection and response across all contractors and partners.