Hi Swinogers
It's not an actual case where we are involved in, nor did it happen in switzerland, but I'm in contact with a registrar and hoster that probably is in this situation.
A customer registered a domain and booked a web and email service. The booking were made in the name of an apparently newly created company. Everything looked legit, the domain owner wanted his privacy protected by a whois proxy provider.
That company sent emails to various recipients, that led those recipients to their website to download some documents.
Those documents were infected with the locky ransomware. It's clear that this is not a hacked site, but a site built purposefully to distribute that malware and make it look legitimate.
The hoster reacted quicky to complaints, took the site offline and removed the DNS entries to prevent further damage.
But what can the hoster/registrar do next? Can he contact his government's CERT team or the authorities and hand them over the customer data, ip addresses used to upload the site etc. to try to get hold of the gang behind that fraud as quickly as possible? Or would that break the privacy laws and they have to wait to get a subpoena, which could take several weeks and give the gang enough time to clear all traces?
-BenoƮt Panizzon-