MedusaLocker leak site lists the Canton of Zürich's Baudirektion — unconfirmed claim [SINGLE-SOURCE]
From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →
The MedusaLocker ransomware group added a listing on 2026-07-01 for a victim named "Bd" with the domain bd.zh.ch, the domain used by the Baudirektion (Building/Construction Directorate) of the Canton of Zürich, a Swiss cantonal-government department. The group's own claim text records "772 emails extracted; Domain: bd.zh.ch," with no ransom figure or data sample published (Ransomware.live, 2026-07-01). This is a dark-web leak-site claim only — it is not confirmed by the Canton of Zürich or by any independent reporting. Targeted searches for a cantonal statement, an NCSC.ch (BACS) advisory, or Swiss press coverage returned nothing in this window. The same MedusaLocker posting wave on 1 July (~22:28–22:33 UTC) also listed other European entities in immediate succession, including a French municipality — consistent with a batch-style listing rather than a single targeted disclosure. No initial-access vector or exploited product is available from the listing.
Why it matters to us: direct relevance to a Swiss cantonal-government reader base. Treat as an early, unconfirmed situational-awareness signal — verify against an official cantonal or NCSC.ch statement before acting, and, if you operate *.zh.ch infrastructure, quietly confirm whether the Baudirektion or shared cantonal services were affected. No defender action beyond monitoring is warranted on an unverified leak-site claim.