Swiss Nonprofit Health Agency Radix Breached by Emerging Sarcoma Ransomware Group

Zurich, July 2, 2025 — Radix, a Zurich-based nonprofit organization specializing in public health promotion and online counseling services, confirmed on June 30 that it fell victim to a ransomware attack carried out by the Sarcoma group. According to Radix’s statement, Sarcoma exfiltrated sensitive client and operational data before encrypting core systems and publicly posting stolen files on a dedicated dark-web leak site.

Incident Overview
Radix first detected unusual network activity in mid-June, prompting an immediate internal investigation and engagement of external cybersecurity consultants. While the organization’s primary operational platforms remained largely functional, threat actors succeeded in compromising backup archives and several administrative servers. In its June 30 statement, Radix emphasized that no direct connections to Swiss federal systems exist within its infrastructure—though they acknowledged that various federal offices utilize Radix’s services, and a government “data compromise assessment” is currently underway.

Sarcoma Ransomware: A Growing Threat
Sarcoma is a relatively new ransomware operation first identified by threat intelligence firms in October 2024. Analysts have linked Sarcoma attacks to a pattern of targeted intrusions against mid-size enterprises and nonprofit entities across Europe and North America. Their Tactics, Techniques, and Procedures (TTPs) frequently involve:

• Phishing-based initial access using convincingly branded email lures;
• Use of custom beaconing malware to establish persistent command-and-control channels;
• File-sharing abuse via legitimate cloud storage services to exfiltrate large data volumes;
• Double-extortion tactics whereby stolen data is published online to pressure victims into paying ransoms.

Security specialists warn that Sarcoma’s rapid evolution—from its first detection to high-profile breaches—underscores the increasing sophistication of “as-a-service” ransomware models, which lower the cost and expertise barriers for financially motivated cybercriminals.

Scope and Potential Impact
While Radix maintains it does not host or administer any government IT infrastructure, the involvement of federal offices as service recipients raises the stakes. Data under review may include:

• Personal health records of program participants;
• Internal communications regarding public-health initiatives;
• Counselling session metadata that could be deemed personally identifiable information (PII).

Swiss federal authorities are coordinating with Radix to determine whether any government-owned data repositories were indirectly exposed. Early indications suggest that the breach was confined to Radix’s own systems, rather than the downstream environments of its clients.

Organizational Response and Remediation
In the hours following breach confirmation, Radix took decisive steps to contain the incident:

1. 1- Disconnection of affected servers from all external networks;
2. 2- Deployment of an incident response team comprising both in-house security staff and a third- party digital forensics firm;
3. 3- Notification to Swiss data-protection regulators and impacted individuals in compliance with the Federal Act on Data Protection (FADP);
4. 4- Engagement with law-enforcement partners, including the Federal Cybercrime Unit (CYCO) of the Swiss Federal Office of Police (fedpol).

Radix’s executive leadership has pledged a full system rebuild on “air-gapped” infrastructure, alongside strengthened multifactor authentication (MFA) and network-segmentation controls.

Expert Commentary
“Nonprofits like Radix often lack the robust cybersecurity budgets of larger healthcare providers,” explained Dr. Lena Schmid, a cybersecurity consultant with Zurich-based firm CyberSentinel. “This attack highlights how adversaries are pivoting toward organizations perceived as softer targets but possessing valuable data.” Dr. Schmid recommends that charitable and nonprofit institutions adopt a “zero-trust” architecture, enforce least-privilege access, and periodically simulate phishing exercises to harden staff against social-engineering exploits.

Outlook and Recommendations
As Sarcoma’s leak site remains active, organizations across the Swiss health sector are urged to:

• Conduct urgent risk assessments of third-party service providers;
• Review and update incident-response playbooks to address ransomware and data-exfiltration scenarios;
• Invest in continuous endpoint monitoring and automated backup integrity checks.

Radix has established an incident-support hotline for affected clients and plans to publish a post-mortem report once its forensic analysis concludes. In the meantime, the breach serves as a stark reminder that even mission-driven, nonprofit entities are within the sights of modern ransomware syndicates.