Groupe 3R confirms Akira attribution and darknet publication of stolen data in its own forensic update
UPDATE · originally covered Groupe 3R (Réseau Radiologique Romand) — Akira ransomware claims 48 GB; 20 imaging centres across seven Swiss cantons, second attack in twelve months (2026-05-10)
Groupe 3R (Réseau Radiologique Romand), the network of 20 medical-imaging centres across seven Romandie cantons (Geneva, Vaud, Valais, Fribourg, Neuchâtel, Berne), has now confirmed through its own forensic investigation — not merely the attacker's leak-site claim — that the 30 April 2026 ransomware attack was carried out by Akira, and that stolen corporate and administrative documents have since been published on the darknet (SwissCybersecurity.net, 2026-07-07; ICTjournal.ch, 2026-07-06). This closes the attribution gap left open when Akira first listed the victim on 2026-05-08. The operator states medical data was encrypted (disrupting availability) but that no publication of medical data has been observed to date, while candidly acknowledging that whether medical data was also exfiltrated "may never be clarified with absolute certainty" — an unusually frank admission of incomplete forensic visibility that is itself the transferable lesson here.
Groupe 3R refused to pay the ransom, filed a criminal complaint with cantonal police on the attack date (forwarded to the Federal Public Prosecutor on 2026-05-12) and notified the Federal Office for Cybersecurity (BACS). As of this update all 20 centres are running on rebuilt, ISO-27001-partner infrastructure (RIS, PACS, telephony and teleradiology restored) but the referring-physician portal remained in security testing before redeployment — over two months post-incident. The activity is consistent with Akira's documented playbook: T1486 Data Encrypted for Impact (medical-data encryption), T1567 Exfiltration Over Web Service (darknet publication), typically preceded by edge-device / external-remote-service initial access.
Defender actions
- Swiss/EU healthcare operators previously targeted should not treat a single successful defence as retiring the threat model: Groupe 3R has now been hit twice inside twelve months — by different attackers in April 2025 and by Akira in April 2026 — so budget for recurring hardening reviews of edge/remote-access exposure rather than assuming one incident closes the risk.
- Ensure egress monitoring and object-level access logging on PACS/RIS/backup infrastructure are in place now: Groupe 3R's admission that exfiltration scope may be structurally unknowable after the fact shows post-hoc forensics cannot substitute for pre-existing telemetry.
Update chain
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.