Full Report
Sarcoma, a recently emerged cybercrime group, was responsible for a data breach of Swiss health nonprofit Radix, according to a statement by the Zurich-based organization.
Analysis Summary
# Incident Report: Sarcoma Ransomware Attack on Swiss Health Nonprofit Radix
## Executive Summary
The Swiss nonprofit health organization Radix experienced a ransomware attack attributed to the Sarcoma group sometime in early June 2025, leading to data encryption and exfiltration. The threat actor published the stolen data after the organization reportedly declined negotiations. While core data was encrypted, services operated by Radix for the Swiss Federal Office of Public Health were unaffected as they were externally hosted.
## Incident Details
- Discovery Date: Early June 2025 (when Sarcoma publicly claimed the breach)
- Incident Date: Early June 2025 (exact start date unknown)
- Affected Organization: Radix (Swiss nonprofit health organization)
- Sector: Health Promotion / Nonprofit
- Geography: Zurich, Switzerland
## Timeline of Events
### Initial Access
- Date/Time: Unknown, prior to early June 2025.
- Vector: Not specified in the provided text.
- Details: The exact method of initial compromise is "still under investigation."
### Lateral Movement
- Details: The attack resulted in the encryption of "various files" on Radix systems.
### Data Exfiltration/Impact
- Date/Time: Early June 2025 (Sarcoma publicly announced the breach).
- Details: Around 2 terabytes of data were allegedly exfiltrated by the threat actor. The data was subsequently published on a leak site after a one-week ransom demand window passed. Radix confirmed file encryption occurred.
### Detection & Response
- Date/Time: Upon discovery of the threat actor’s claims/activity in early June 2025.
- Details: Radix immediately revoked access to the affected data and confirmed the encryption. The Swiss Federal Office of Public Health confirmed that related counseling platforms (SafeZone, StopSmoking) hosted externally were not affected. Restoration from backups is planned.
## Attack Methodology
- Initial Access: Unknown (Under investigation).
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Evidenced by the encryption of "various files."
- Collection: Allegedly collected approximately 2 TB of data.
- Exfiltration: Data was exfiltrated and subsequently posted to a leak site.
- Impact: Data encryption and publicly available stolen data (double extortion).
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Up to 2 terabytes of data were claimed to be stolen. The Swiss Federal Office of Public Health stated there is "no indication that particularly sensitive data has been affected."
- Operational: Radix has the ability to restore affected files from backups.
- Reputational: Public confirmation of a significant data breach involving an organization that serves federal offices.
## Indicators of Compromise
- Network indicators: Not specified (No defanged IPs/URLs mentioned).
- File indicators: Not specified (Specific malware or file hashes not mentioned).
- Behavioral indicators: Ransomware deployment leading to file encryption and subsequent publication of stolen data on a leak site.
## Response Actions
- Containment measures: Upon discovery, Radix "immediately revoked access to the affected data."
- Eradication steps: Not specified, though standard procedure would follow containment.
- Recovery actions: Radix stated it "would be able to restore it from backups."
## Lessons Learned
- Backup verification and reliance on backups are crucial for recovery following ransomware encryption events.
- Third-party service segregation (as seen with the externally hosted counseling platforms) successfully isolated critical services from the core incident blast radius.
## Recommendations
- Fully investigate the initial access vector used by Sarcoma to enhance perimeter defenses.
- Conduct a thorough file integrity and security audit across the environment to ensure Sarcoma utilized standard double-extortion tactics (encryption/exfiltration) and to verify no other persistence mechanisms remain.
- Review separation of duties and network segmentation between sensitive data and regular operational environments.