Swiss federally owned defence contractor RUAG has confirmed it paid a ransom to the Akira ransomware group following a 2025 intrusion at its US subsidiary. Board chairman Jürg Rötheli disclosed the payment on Swiss public radio SRF, stating the company "paid a small amount" and recovered all stolen data. The decision directly contradicts guidance from the Federal Office for Cybersecurity (FOCBS), which advises against ransom payments.
What Happened
In autumn 2025, the Akira ransomware group compromised systems belonging to RUAG's US subsidiary, LLC. The attackers exfiltrated data and threatened to publish the material unless a ransom was paid. RUAG, the federally owned Swiss defence firm whose customers include the Swiss Armed Forces, opted to pay rather than risk public exposure of the stolen information. The payment was confirmed publicly on June 6, 2026, when Rötheli appeared on SRF radio, though he declined to disclose the exact figure transferred to the threat actor.
What Was Taken
RUAG has not publicly itemised the data set. Rötheli's statement confirms that material was stolen from the US subsidiary's systems and that "all the data" was returned following payment. Given RUAG's portfolio across defence electronics, ammunition, and military aerospace components, any exfiltrated material from a US subsidiary carries significant sensitivity, particularly if it touches on customer relationships, supplier networks, or technical specifications tied to allied defence programmes.
Why It Matters
This incident is the second major public breach affecting RUAG in roughly a decade, following the 2016 intrusion attributed to state-aligned espionage actors. The current case is materially different: a financially motivated ransomware crew successfully extorted a sovereign defence supplier. The payment also places RUAG in open conflict with its own national cybersecurity authority, the FOCBS, which warns that ransom payments fund further criminal operations and incentivise repeat targeting. For allied defence primes and government-owned contractors, the case illustrates that subsidiary risk and FOCBS-style policy guidance can collide at the board level under operational pressure.
The Attack Technique
Akira has been highly active against industrial, manufacturing, and defence-adjacent targets since 2023. The group typically gains initial access through compromised VPN appliances lacking multi-factor authentication, exposed remote access services, or valid credentials purchased from initial access brokers. Once inside, Akira operators conduct lateral movement using legitimate administration tooling, escalate privileges, exfiltrate data to attacker-controlled infrastructure, and finally deploy the Akira encryptor across Windows and ESXi estates. RUAG has not publicly attributed an initial access vector for the LLC subsidiary intrusion.
What Organizations Should Do
- Audit all VPN and remote-access appliances for MFA enforcement and current firmware, with priority on Cisco ASA, SonicWall, and similar devices historically abused by Akira.
- Treat subsidiaries, recently acquired entities, and foreign business units as elevated-risk surfaces; extend EDR, log collection, and identity controls to parity with the parent.
- Hunt for Akira tradecraft: scheduled-task persistence, AnyDesk or RustDesk installation, WinRAR-based staging, and rclone or FileZilla exfiltration to cloud endpoints.
- Pre-define a ransom-decision framework with legal, executive, and government stakeholders before an incident, including sanctions screening on any threatened payment.
- Test offline, immutable backup recovery for both Windows and ESXi infrastructure on a realistic timeline, not merely a tabletop exercise.
- Engage national cybersecurity authorities such as FOCBS, CISA, or the NCSC early; their guidance and intelligence sharing materially shape response options.
Sources: Swiss defence firm RUAG paid ransom to hackers - SWI swissinfo.ch