Inaction becomes a weapon
One click, a wrong password or an open security vulnerability can be enough to bring a company to a standstill. Ransomware attacks are among the greatest threats to companies today. As several cantons and dozens of Swiss companies are affected, the Office of the Attorney General of the Swiss Confederation is taking over the proceedings. fedpol is investigating.
An employee of an accounting services firm in the Swiss Plateau was the first to arrive at the office in the morning and switched on his computer. When he tried to open a file, a message appeared on his screen instead of his client’s income statement. The message read: “All files belonging to the company and its clients have been encrypted. They will be published unless the demanded ransom is paid within 24 hours.” Similar scenarios have happened to numerous companies. The sender of the ransom demand is the ransomware group 8Base, one of the largest criminal groups, which makes millions of francs every year through such extortion schemes. They encrypt data, cripple IT systems and cause significant financial damage.
For many victims, the ransom payments are less of a problem than the costs incurred by the disruption of their services. Production processes come to a standstill, invoices pile up, and deadlines must be postponed. Criminal groups have long since shifted their focus from large corporations to small and medium-sized businesses as well.
fedpol and the Office of the Attorney General of the Swiss Confederation, together with international partners, are helping to curb this threat. The aim is to identify the ransomware group 8Base, which is causing damage to hundreds of companies and organisations worldwide, including several dozen in Switzerland.
Agile collaboration
Close and flexible collaboration among the participating authorities plays a central role. Instead of a linear large-scale investigation, the partner countries rely on short, coordinated investigative phases. During these sprints, findings are consolidated, leads are combined, and the perpetrators are gradually identified.
Investigative teams identify early signs of planned attacks. This information enables the affected countries to take preventive measures: companies are warned, systems are checked and access points are secured. Through their international partners, fedpol’s cyber investigators can issue early warnings to more than 300 potential corporate victims worldwide. this has prevented extortion before it even began – including in Switzerland, where several suspected members have been identified, located and arrested.
Coordinated action
One visible result of international cooperation is what is known as a take-down. This involves taking the cybercriminals’ technical infrastructure offline, including the platforms on which they publish the stolen data. In place of the previous content, a notice page from law enforcement agencies appears. This makes it clear that the authorities have taken control of the infrastructure – and that criminal activities do not go unnoticed (more on this in the Europol press release).
Encrypted data becomes readable again
Another tangible result of the operation is the assistance provided to companies that have already been victimised. Japanese investigators have successfully developed a decryption tool for encrypted files. This tool is published on the No More Ransom platform, provided by Europol and the Dutch police. For victims who have not paid a ransom, this is a major breakthrough: their data becomes accessible again.
Ultimately, the 8Base case demonstrates one thing above all else: cybercriminals operate globally – and so does effective law enforcement.
“Cybercrime is a field that is changing particularly rapidly. An investigative success on this scale can only be achieved thanks to effective national and international cooperation.”
Lukas, Federal Cybercrime Investigator