What happened?
Since early 2024, an unprecedented ransomware wave by the Akira group has been sweeping through the Swiss SME landscape. At a rate of 4 to 5 new victims per week, Akira represents the largest and most sustained cyber threat Swiss companies have ever faced. By early 2026, an estimated 200 Swiss SMEs have been affected — the actual number is likely considerably higher, as many incidents go unreported.
Akira has been active since March 2023 and deliberately targets small and medium-sized enterprises. Unlike groups such as LockBit or BlackCat that primarily attack large corporations, Akira focuses on organisations with 20 to 500 employees — precisely the size where professional IT security is often lacking, but sufficient revenue for ransom payments exists.
The typical Akira attack pattern in Switzerland:
- Initial access via VPN vulnerabilities: Akira exploits known vulnerabilities in Cisco VPN gateways and other remote access solutions commonly used by Swiss SMEs. MFA is often missing.
- Rapid spread: After initial access, attackers move laterally through the network within hours to days. SME networks are often flat (no segmentation), facilitating the spread.
- Data exfiltration: Before encryption, confidential data is copied — customer lists, accounting data, personnel files, contract documents.
- Encryption and extortion: All reachable systems are encrypted. Ransom demands typically range between CHF 50,000 and CHF 500,000 — calculated so that payment appears just about bearable for the affected SME.
- Double extortion: If payment is refused, Akira threatens to publish the data on their leak site.
Who was affected?
The Akira wave hits Swiss SMEs across all industries and regions. Particularly frequently affected are:
- Manufacturing companies: Machine builders, suppliers and manufacturers whose connected production systems are particularly vulnerable
- Fiduciary and consulting firms: Attractive targets because they manage confidential financial data of hundreds of clients
- E-commerce and trade companies: Online shops and retailers whose customer data is valuable to criminals
- Trades and service providers: Electricians, architects, engineers — companies that traditionally do not see themselves as cyber targets
- Medical practices and healthcare providers: Particularly sensitive patient data makes them worthwhile targets
Affected companies share typical characteristics: 20 to 200 employees, no dedicated IT security personnel, IT managed by an external provider and no cyber insurance.
How large was the damage?
Average damage per SME
| Damage category | Typical costs |
|---|---|
| Business interruption (5–15 days) | CHF 50,000–250,000 |
| Incident response and forensics | CHF 30,000–80,000 |
| System restoration | CHF 20,000–100,000 |
| Ransom demand (if paid) | CHF 50,000–500,000 |
| Legal advice and data protection | CHF 10,000–30,000 |
| Customer notification | CHF 5,000–20,000 |
| Crisis communication | CHF 5,000–15,000 |
| Typical total damage per SME | CHF 170,000–1m |
Projected total damage for Switzerland
| Metric | Value |
|---|---|
| Estimated number of affected SMEs (2024–2026) | ~200 |
| Average damage per incident | ~CHF 400,000 |
| Estimated total damage | ~CHF 80m |
| Proportion of SMEs with cyber insurance | ~5–10% |
| Uninsured damage | ~CHF 72–76m |
The vast majority of damage hits SMEs with no cyber insurance. An estimated 20–30% of affected SMEs must cease operations or are acquired within two years of a severe ransomware attack.
Would cyber insurance have helped?
Yes. For Swiss SMEs, cyber insurance provides very good coverage for ransomware incidents.
Cost analysis and insurance coverage (typical SME)
| Cost item | Typical costs | Covered by cyber insurance? |
|---|---|---|
| Incident Response & Forensics | CHF 30,000–80,000 | Yes – core service of any policy |
| Business interruption (5–15 days) | CHF 50,000–250,000 | Yes – up to coverage limit |
| System restoration | CHF 20,000–100,000 | Yes – typically covered |
| Ransom demand | CHF 50,000–500,000 | Partially – depends on policy |
| Legal advice & data protection | CHF 10,000–30,000 | Yes – legal protection component |
| Customer notification | CHF 5,000–20,000 | Yes – regulatory obligation |
| Crisis communication | CHF 5,000–15,000 | Yes – frequently included |
| Typical total damage | CHF 170,000–1m | ~70–90% potentially covered |
Cost-benefit analysis
| Metric | Value |
|---|---|
| Typical annual premium (SME, 50 employees) | CHF 3,000–8,000 |
| Typical coverage limit | CHF 1–5m |
| Average damage from Akira attack | ~CHF 400,000 |
| Return on investment in case of claim | 50 to 130 times |
For Swiss SMEs, cyber insurance in the face of the Akira threat is not an optional add-on but a business necessity. Particularly valuable is the immediate access to incident response specialists that the insurance provides.
Lessons for Swiss SMEs
-
Secure VPN access immediately: Akira exploits known VPN gateway vulnerabilities. All remote access solutions must be updated and secured with multi-factor authentication (MFA).
-
Implement network segmentation: Flat networks enable rapid spread. At minimum, separation between office IT, production OT and backup systems is essential.
-
Offline backups are vital: Akira deliberately encrypts accessible backups. Only offline or immutable backup solutions provide reliable protection.
-
Hold IT providers accountable: Many affected SMEs rely on external IT partners who themselves do not maintain adequate security standards.
-
Train employees: Phishing remains a common entry point. Regular, practical training — not just an annual PDF — is necessary.
-
Take out cyber insurance now: With 4–5 new Akira victims per week, the question is not if but when your company could be affected.
Get a free consultation. The experts at BTAG Versicherungsbroker AG in Bern analyse your individual risk profile and find the right cyber insurance for your SME — independent and transparent.