Falconfeeds has broken down the number and type of cyberattacks in the last year for inside-it.ch. DDoS is at the top. Of the ransomware gangs, 8Base struck the most.
For 2024, the monitoring platform recorded Falconfeeds.io 175 cyber incidents in Switzerland. Announcements by cybercriminals on the dark web, in breach forums and on channels such as Telegram were evaluated. The company has broken down the figures for inside-it.ch. 60 DDoS attacks, 43 data breaches, 37 ransomware attacks, 22 access sales, 10 data leaks and 2 defacements were recorded.
“The cybersecurity landscape in Switzerland in 2024 reflects a mix of global trends and localized attacks,” writes Falconfeeds. DDoS attacks remain the most common type of attack and disrupt critical services across all sectors as ransomware evolves.
The three hardest-hit countries in Europe – Ukraine, the UK and France – each recorded over 1000 incidents. “The number of incidents in Switzerland is significantly lower than in its neighboring countries such as France (1094), Italy (777), Germany (712) and Austria (227),” Falconfeeds CEO Nandakishore Harikumar told inside-it.ch.
Politically motivated DDoS attacks
Number of incidents in Switzerland in 2024 per month. Graphic: Falconfeeds.io
During this period, Switzerland was mainly exposed to targeted DDoS attacks by both pro-Russian and anti-Israel groups. The pro-Russian group Noname057(16) has played a major role in politically motivated attacks, according to Falconfeeds, especially in connection with events such as the World Economic Forum WEF in January and the Ukraine Peace Summit in June on the Bürgenstock.
“However, at the end of 2024, there was a significant decline in DDoS activity in Switzerland. This could indicate that the focus of politically motivated attackers is shifting back to other regions or events that correspond to their ideological or geopolitical goals,” Harikumar said.
The cyberattacks in their entirety hit various industries and organizations. The consumer goods and services sector was most affected (22 incidents), just ahead of technology and IT services (21). This is followed by manufacturing & industry (18 incidents), transport & logistics (16), government & public sector (15), finance (14) and other sectors.
Numerous active ransomware gangs
The 8Base gang is at the top of the list of ransomware attacks in Switzerland, followed by Black Basta, Lockbit, Bashe, Ransomhub and numerous other groups such as Akira, Cicada3301, Helldown and Qilin. Black Basta, for example, claimed responsibility for the successful attack on the BKW subsidiary Swisspro. 8Base attacked the Zurich-based medtech company Mikrona, among others. Ransomhub was behind the attack on the Thun IT company Schneider Software, the industrial grain manufacturer Hoerbiger became a victim of Akira. Helldown set its sights on Hug-Witschi, another IT service provider.
Ransomware gangs active in Switzerland and the number of attacks in 2024 Falconfeeds.io.
Although Lockbit is still a dominant ransomware group, its activities have decreased after “Operation Cronos” by international judicial authorities, Harikumar explains. Partners who were previously affiliated with Lockbit have turned to other ransomware operators. Nevertheless, the gang remains one of the leading ransomware groups in the world, with 524 incidents published by it in 2024.
“Emerging groups like Ransomhub have gained significant traction. This relatively new ransomware-as-a-service (RaaS) operation, formerly known as Cyclops and Knight, has seen a rapid rise, recording the highest number of incidents in 2024 with a total of 530,” the threat specialist elaborates. The continuous emergence of new ransomware groups illustrates an increasingly fragmented and dynamic threat landscape, in which more and more actors are actively entering the field and intensifying competition.
The real number is likely to be significantly higher
Nandakishore Harikumar.
The channels evaluated by Falconfeeds mainly record announcements published by the cybercriminals themselves. The real number in Switzerland and other countries is therefore likely to be much higher. “Absolutely,” confirms Nandakishore Harikumar. The platform can provide valuable insights into ransomware activity, but this data is unlikely to accurately reflect the actual number of successful attacks. “Many incidents go unreported or go undetected because there are no public announcements by the perpetrators or because companies choose not to disclose violations for reputational reasons.”
Looking ahead to 2025, Falconfeeds expects to see further refinement of ransomware tactics and increased use of extortion techniques, including multi-layered attacks that combine data breaches with DDoS and ransomware. “Geopolitical tensions will continue to drive hacktivism campaigns, while new technologies could open up new avenues for attacks. In addition, we expect to see an increase in scams that use stolen data from data breaches to attack individuals and organizations, further complicating the threat landscape,” Harikumar predicts.
