At the beginning of November, the Swiss software company Concevis was attacked by ransomware, all servers were encrypted and the data was stolen. The software is also used in federal, cantonal and city public administrations. According to Tagesanzeiger.ch, the first data has now appeared on the Darknet via an insider.
In addition to Concevis AG, the National Cyber Security Center (NCSC) also provides information about the cyber attack on the systems and which official bodies in the federal government, cantons and cities may be affected because they use Concevis software solutions. The company itself said it took immediate measures to ward off and contain the attack. As part of this attack, data on the company's servers was stolen and encrypted. The exact extent of the data outflow is still part of the ongoing analyses.
First data on the dark web?
According to NCSC, Concevis' customers also include various administrative units of the federal administration. According to current knowledge, the Federal Office for Civil Protection, the Federal Office for Spatial Development, the Federal Statistical Office, the Federal Office for Civil Aviation, the Federal Tax Administration and the Training Command are on Concevis' customer list. It is currently being clarified which positions and data are specifically affected.
According to the tagesanzeiger.ch The tax administration has now apparently revealed the first fragments of the attack on the dark web. An unknown insider found the data and shared excerpts from it with the Tagi editorial team. They are intended to show highly sensitive information from US customers to Swiss banks. This probably also includes their name, country of residence, passport and account number.
Initial sources suspect Phobos ransomware
The NCSC coordinates further clarifications and measures within the federal administration. It is in contact with the Concevis company as well as the law enforcement authorities and the affected administrative units of the federal administration and will inform the public about further findings in due course.
According to information from the NZZ The ransomware used to encrypt the Concevis systems is said to be Phobos. Loud According to an analysis by Cisco Talos, Phobos ransomware is a further development of the Dharma/Crysis ransomware. This has probably only experienced minimal developments since it was first observed in 2019.
More at NCSC.Admin.ch