Hackers have gained access to around 800 gigabytes of data from the Swiss firms Neue Zürcher Zeitung (NZZ) and CH Media - owners of a large percentage of regional media in Switzerland. The hacker group Play, suspected of being behind the attack, has begun posting the stolen data on the internet and has said that the five gigabytes currently published are “just the tip of the iceberg”, with the rest of the data set to be published if the media firms don’t pay up soon. 

Ransomware group targets Swiss media firms

NZZ was first made aware of the hack on March 24, with the newspaper initially facing a crisis as reporters were unable to use their laptops and mobile devices to publish news. But now, more than a month later, new consequences of the hack are becoming clear: 800 gigabytes of stolen data from NZZ and CH Media could be published online. 

According to Blick, a hacker group published information on the darknet claiming to have taken private and personal data, as well as salary and project information from the firms. Blick also stated that the consequences of the hack were even more significant at CH Media, where connected IT services meant that newspapers across Swiss cantons such as the Aargauer Zeitung, St. Galler Tagblatt, and the Luzerner Zeitung also suffered from the attack. 

Both firms have informed their teams internally about next steps relating to the hack, and according to Blick, CH Media has brought in experts to assess precisely what data has been taken and published. It was later revealed on May 5 that the hack on the NZZ had spread to Blick itself and members of the Tamedia Group - owners of 20 Minuten.

Play ransomware group first emerged in 2022

Not much information is currently available about the group, which first appeared in 2022 and is named after the “.play” file extension that it uses after encrypting the victim’s data. According to Cyberscoop, the group takes and encrypts the victim's files, then sends a single-word ransom note: PLAY - along with an email address for sending funds to regain access to data. 

Initially, most of the group's activities were carried out in South America, specifically Brazil, but in the time since the group began operations in June 2022, victims of Play’s hacks have included BMW and the US city of Oakland. The group also claimed an attack made on Argentina’s Judiciary of Córdoba, which Argentinian media later called the “worst attack in history on public institutions” in the country.