ctipilot.ch

MedusaLocker leak-site listing of Canton Zürich Baudirektion (bd.zh.ch) — unconfirmed

incident · incident:medusalocker-canton-zurich-baudirektion-2026

Coverage timeline
1
first 2026-07-02 → last 2026-07-02
Briefs
1
1 distinct
Sources cited
1
1 hosts
Sections touched
1
active_threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-02CTI Daily Brief — 2026-07-02
    active_threatsFirst coverage: MedusaLocker claims 772 emails from bd.zh.ch; unconfirmed by Canton, no press/NCSC.ch corroboration

Where this entity is cited

  • active_threats1

Source distribution

  • ransomware.live1 (100%)

Items in briefs about MedusaLocker leak-site listing of Canton Zürich Baudirektion (bd.zh.ch) — unconfirmed (1)

MedusaLocker leak site lists the Canton of Zürich's Baudirektion — unconfirmed claim [SINGLE-SOURCE]

From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →

The MedusaLocker ransomware group added a listing on 2026-07-01 for a victim named "Bd" with the domain bd.zh.ch, the domain used by the Baudirektion (Building/Construction Directorate) of the Canton of Zürich, a Swiss cantonal-government department. The group's own claim text records "772 emails extracted; Domain: bd.zh.ch," with no ransom figure or data sample published (Ransomware.live, 2026-07-01). This is a dark-web leak-site claim only — it is not confirmed by the Canton of Zürich or by any independent reporting. Targeted searches for a cantonal statement, an NCSC.ch (BACS) advisory, or Swiss press coverage returned nothing in this window. The same MedusaLocker posting wave on 1 July (~22:28–22:33 UTC) also listed other European entities in immediate succession, including a French municipality — consistent with a batch-style listing rather than a single targeted disclosure. No initial-access vector or exploited product is available from the listing.

Why it matters to us: direct relevance to a Swiss cantonal-government reader base. Treat as an early, unconfirmed situational-awareness signal — verify against an official cantonal or NCSC.ch statement before acting, and, if you operate *.zh.ch infrastructure, quietly confirm whether the Baudirektion or shared cantonal services were affected. No defender action beyond monitoring is warranted on an unverified leak-site claim.