Swiss nonprofit health organization breached by Sarcoma ransomware group

The Swiss nonprofit health organization Radix has confirmed that its systems were breached by a ransomware group earlier this month.

In a statement on Monday, the Zurich-based agency — which runs health promotion programs and online counseling services — said that the threat actor known as Sarcoma had published data stolen from its systems on a leak site.

The Swiss government also issued a statement noting that "various federal offices" are among Radix's customers, and officials are evaluating what data was compromised. Radix has "no direct access" to government systems, the statement said. 

Sarcoma is a relatively new ransomware group, first detected in October 2024. In February, the group claimed responsibility for an attack on Unimicron, a printed circuit board manufacturer in Taiwan.

Radix has not specified what kind of data was affected but said it would be able to restore it from backups. The exact method of the attack is still under investigation, the agency added.

Radix counts several Swiss federal offices among its clients. In a separate statement last week, Switzerland’s public health authority said that the anonymous online counseling platforms SafeZone and StopSmoking — which Radix operates on its behalf — were not directly affected by the cyberattack, as they are hosted outside of the nonprofit’s core infrastructure.

“There is currently no indication that particularly sensitive data has been affected by the cyberattack,” the Swiss Federal Office of Public Health said.

Information about the alleged Radix breach first emerged earlier in June, when the Sarcoma group claimed to have exfiltrated 2 terabytes of the organization’s data. The hackers gave Radix one week to pay a ransom for decryption.

The agency said that upon discovering the attack, it immediately revoked access to the affected data and confirmed that various files had been encrypted in the breach. It has not said whether it was involved in ransom negotiations.

According to previous research, Sarcoma uses a double extortion model, encrypting victims' data and threatening to leak it on the dark web if ransom demands are not met.

While the exact origins of Sarcoma remain unclear, security researchers believe the group may be linked to cybercriminals operating out of Eastern Europe.