Swiss defense company RUAG pays ransom to cyber gang
After the cyber gang Akira exfiltrated data from RUAG subsidiary Mecanex USA, RUAG paid a ransom.
(Image: Patrick Daxenbichler / Shutterstock.com)
Contrary to the usual recommendation of IT security experts and the Swiss Federal Office for Cybersecurity, the federal company RUAG has apparently paid a ransom after the cyber gang Akira stole sensitive documents from its subsidiary Mecanex USA during an IT incident. The data theft occurred in early November 2025, and SRF attributes the intrusion to the US subsidiary RUAG LLC.
(Image:Â heise medien)
The perpetrators from Akira stated on the darknet that they had copied about 24 GByte of data. This is said to contain social security numbers, IDs, driver's licenses, phone numbers, addresses, and other information of employees. In addition, secret military information as well as contracts and instructions for handling explosives are said to be included.
RUAG admits ransom payment
SRF reports that RUAG Chairman of the Board Jürg Rötheli admitted the ransom payment in the SRF Saturday talk show: “We paid, a small amount, fortunately, and got all the data back,” he said on the radio program. Ransom demands are said to be in the lower six-figure range.
In Switzerland, as in Germany, authorities strongly recommend not to pay ransoms in such cases. In 2022, IT security experts from academia and business published an open letter with measures against ransom payments by victims, which received a lot of attention.
Rötheli was also aware of this recommendation but explained that the ransom payment had been agreed upon with internal company bodies. Consultation with US legal experts had taken place. The Swiss Department of Defense VBS (Federal Department of Defense, Civil Protection, and Sport) declined to comment but stated that it had not been informed in advance. In an interview with SRF, SVP National Councillor and IT entrepreneur Mauro Tuena commented that the Akira group now knows that the Swiss Confederation is willing to pay ransom, which is a devastating signal. RUAG countered that the decision was the right one, as they recovered all data and were able to minimize damages.
Videos by heise
The criminal organization Akira uses its ransomware and apparently continues to encrypt its victims' data – and does not limit itself, like many other groups, to merely stealing it and extorting ransom for non-publication. Most recently, it was noticed at the end of 2025 when attackers pushed Akira ransomware onto SonicWall firewalls, despite multi-factor authentication being enabled. Since then, the gang seems to be targeting smaller companies more and is less conspicuous.
(wpl)
