Ransomware (Sarcoma)

Radix Sarcoma Ransomware

In June 2025, the Radix Foundation fell victim to the Sarcoma ransomware group. Sensitive federal data ended up on the darknet — a supply chain attack with far-reaching consequences.

Radix Sarcoma Ransomware

What happened?

In June 2025, the Radix Foundation, a nationally active Swiss organisation for health promotion and prevention, fell victim to a ransomware attack by the hacker group Sarcoma. The attackers encrypted systems and exfiltrated confidential data — including sensitive documents of the Swiss federation stored at Radix under government mandates.

When the foundation did not pay the ransom, Sarcoma published the stolen data on their darknet leak site. The incident thus became a supply chain attack: not the federal administration itself was hacked, but an external provider working on behalf of the government.

Sarcoma has been active since 2024 and specialises in medium-sized organisations — particularly those in health and social services that often have limited IT security budgets but process highly sensitive data.

The case is reminiscent of the Xplain incident of 2023, where another external federal provider was hacked and federal data ended up on the darknet — demonstrating that Switzerland has not drawn sufficient lessons from previous incidents.

Who was affected?

  • The Radix Foundation itself: Operational systems encrypted, activities restricted for weeks
  • Federal authorities: Confidential documents from federal mandates ended up on the darknet
  • Cantons and municipalities: Project data compromised
  • Target populations of programmes: People in vulnerable situations — those affected by addiction, mental health challenges, young people in prevention programmes — whose data is potentially visible on the darknet

How large was the damage?

Damage categoryEstimated cost
Incident response and forensicsCHF 150,000–300,000
System restorationCHF 100,000–250,000
Legal adviceCHF 100,000–200,000
Crisis communicationCHF 50,000–100,000
Notification of affected personsCHF 30,000–80,000
Business interruptionCHF 200,000–500,000
Estimated total direct damageCHF 630,000–1.4m

While direct costs appear moderate compared to large corporations, they can be existentially threatening for a foundation with a limited budget. Non-profit organisations typically have no financial reserves for cyber incidents.

A cyber insurance policy with coverage of CHF 1–2m (annual premium approx. CHF 3,000–8,000) would have covered 70–85% of the direct costs.

Lessons for Swiss SMEs

  1. Supply chain attacks hit the weakest link. Attackers deliberately target smaller providers to access data of large clients.

  2. Federal data requires special protection. Companies working on government mandates face heightened duty of care obligations.

  3. Non-profit organisations are particularly vulnerable. NGOs, foundations and associations rarely have dedicated IT security budgets but often process highly sensitive data.

  4. Data segmentation is mandatory. Mandate-related data should be stored in strict separation.

  5. The Xplain case changed nothing — those who do not learn from the cases of others become the next victim.

  6. Comply with reporting obligations to the BACS within 24 hours.

Get a free consultation. The experts at BTAG Versicherungsbroker AG in Bern analyse your individual risk profile.

Have questions about cyber insurance?

Our partners at BTAG are happy to advise you — free and with no obligation.

Learn more Or calculate your costs first

A service of BTAG Versicherungsbroker AG, Bern — independent advice since 1990.

BTAG Versicherungsbroker AG Mitglied SIBA FINMA Register-Nr. 12229
Contact us →