Belimed AG
A Swiss manufacturer of hospital sterilization equipment had 1.5 terabytes of financial and operational data stolen by INCRansom.
What happened?
On May 29, ransomware group INCRansom announced they had breached Belimed AG, a Swiss manufacturer of sterilization and disinfection equipment for hospitals worldwide. The attackers claimed complete access to the company's finance department systems.
According to the attackers, Belimed's management was offered a "private resolution" but chose silence. INCRansom set a one-month deadline before publishing the entire 1.5TB archive. This is double extortion: encrypt the systems, steal the data, then use the data as leverage.
What data was actually inside?
The attackers described a comprehensive data grab from the finance department: SAP databases with operational and financial information, accounting records, client contracts and payment histories, employee salary data, internal audits and strategic planning documents, plus banking and tax documentation.
This isn't scattered files. It's a complete snapshot of the organization's financial and internal operations—the kind of data that takes years to accumulate and seconds to exfiltrate.
Who gets hurt and how?
Belimed employees whose salary data and personal financial information is now in attacker hands. Hospital clients whose contract terms, payment schedules, and purchasing patterns could be exposed. Business partners whose confidential agreements may become public.
For a healthcare supply chain company, client lists and contracts have competitive value. Competitors could see pricing strategies. Attackers could use contract details for targeted phishing against hospital procurement teams.
What did they think they were doing right?
Belimed is a Metall Zug company—a Swiss industrial conglomerate with enterprise security standards. They operate in a highly regulated healthcare adjacent industry. Medical device manufacturers have quality management systems, ISO certifications, and compliance frameworks covering everything from product safety to data handling.
But compliance certifications focus on documented processes. Ransomware groups focus on network access. One targets auditors. The other targets gaps.
What did they not know about their own data?
The finance department had 1.5 terabytes of sensitive data accessible from systems that ransomware operators could reach. That's SAP databases, employee records, banking credentials, and years of contracts—all concentrated in one department's systems, all exfiltrated in one operation.
The attackers didn't need to hit every system. They found where the valuable data lived and extracted it wholesale.
If your business runs on databases, you probably have similar records—customer data, credentials, financial information. Do you know what's actually in yours?
What does attribution look like the morning after?
Belimed now has to determine exactly what was in those 1.5 terabytes. Which employees' data? Which client contracts? Which banking credentials? Under Swiss and EU data protection law, they have notification obligations that require knowing whose data was affected.
The one-month countdown isn't just about ransom. It's about whether Belimed can complete their analysis and notifications before the data becomes public—and the damage multiplies.
What would have changed the outcome?
Knowing that 1.5TB of sensitive data was concentrated in systems accessible from the network perimeter.
A data inventory would have revealed the concentration of risk in the finance department—SAP credentials, banking information, employee PII, client contracts. That visibility enables segmentation decisions before attackers force them. Instead, the first complete inventory of what the finance department held is now being compiled by ransomware operators.
Belimed AG found out the hard way.
Your team could spend the next 6 months rebuilding systems, notifying customers, and answering legal questions. Or you could spend 24 hours finding out what's actually at risk.