In 2024, the Akira ransomware group consolidated its position among the most active threats globally, with hundreds of documented victims and a significant presence in Switzerland. The most widely reported Swiss case involves Hoerbiger, an industrial group headquartered in Zug.
Double extortion: how it works
Modern ransomware does not simply encrypt the victim company’s data. The now-standard model — so-called double extortion — adds a second lever: before encrypting, the attackers exfiltrate a copy of sensitive data. The victim therefore faces two distinct problems:
- Their systems are locked and inaccessible
- Their confidential data is in the hands of criminals, who threaten to publish it
Paying the ransom guarantees neither the return of the data nor its deletion from the attackers’ servers.
The Hoerbiger case
In the case of Hoerbiger — a company operating in industrial and compression sectors — the Akira group claimed to have stolen over 50 GB of confidential data. The Federal Prosecutor’s Office opened criminal proceedings. The company did not publicly comment on the details of the incident.
Why SMEs should be concerned
Hoerbiger is a large company. But Akira and similar groups systematically target SMEs too, often preferring them because:
- Less sophisticated defence systems
- Less frequent or unverified backups
- Reduced incident response capability
- Greater willingness to pay to restore operations quickly
How to reduce risk
No defence is absolute, but certain measures drastically reduce the likelihood of a successful ransomware attack:
- Immutable and isolated backups — stored on a system unreachable from the corporate network, verified periodically with recovery tests
- Network segmentation — limiting the malware’s ability to spread laterally
- Multi-factor authentication on all remote access and cloud services
- Systematic patching — many attacks exploit known, already-patched vulnerabilities
- Incident response plan — knowing what to do in the first hours is critical
The NCSC maintains a dedicated ransomware page with resources and contacts for affected companies.
Sources
- SWI Swissinfo — “Up to 200 Swiss companies targeted by ransomware hacker group” (16.10.2025): swissinfo.ch
- NCSC — Semi-annual report 2024/2: ncsc.admin.ch — Halbjahresbericht 2024/2