Swiss Government Data Leaked in Ransomware Attack Linked to Sarcoma Group

Switzerland is reeling from the latest in a growing wave of ransomware attacks targeting public institutions, after federal officials confirmed that data from multiple government offices has been leaked on the dark web. The breach stems from a ransomware attack on Zurich-based nonprofit Radix, a key third-party service provider for federal, cantonal, and municipal agencies.

Radix, which runs eight public health-focused competence centers under government contract, disclosed that its systems were infiltrated by the Sarcoma ransomware group earlier this month. The group reportedly exfiltrated and encrypted sensitive files before publishing 1.3 terabytes of stolen data—ranging from contracts and financial records to internal communications—on its dark web extortion site after ransom negotiations failed.

This marks the second time in just over a year that Swiss government data has been exposed via a third-party breach. In 2024, the Play ransomware group leaked tens of thousands of confidential documents following a breach of software provider Xplain.

According to Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka, the Radix incident highlights systemic vulnerabilities in the government’s digital supply chain. “A ransomware attack on a federal third-party service provider can have severe, cascading impacts,” Sood explained. “It can disrupt critical government operations, halting vital services like data processing and secure communications. Beyond immediate outages, sensitive government and personal data are at high risk of exposure…leading to major privacy breaches and national security concerns.”

Sood urged governments to adopt rapid containment strategies such as VLAN quarantining, network segmentation, and zero-trust network access (ZTNA) to curtail the spread of ransomware and protect sensitive infrastructure.

Sarcoma, the ransomware group responsible for this attack, has quickly built a reputation as one of the most aggressive actors in the threat landscape since its debut in October 2024. The group claimed 36 victims in its first month and made headlines earlier this year with a high-profile attack on Taiwanese PCB manufacturer Unimicron.

Andrew Costis, Engineering Manager at AttackIQ, emphasized the importance of proactive defense. “Sarcoma is known for implementing double extortion tactics… It is vital that government organizations take proactive defense measures by validating their defenses against attackers’ known tactics, techniques, and procedures,” he said. Costis warned that ransomware payments don’t ensure safety: “Doing so may further enable cybercriminals to profit and advance their operations… and may further incentivize future attacks.”

As investigations continue, the Swiss National Cyber Security Centre (NCSC) is working to assess the extent of the breach and coordinate with affected agencies. While Radix has stated there is “no evidence” that sensitive data from partner organizations has been misused, the published archive—available for free on Sarcoma’s leak site—tells a more concerning story.

For Switzerland, and governments around the world, the breach serves as yet another reminder: third-party risk is national risk.