TP-2026-0018 high AI Draft C

Vivaticket Ransomware Attack Disrupts European Cultural Institutions

Date March 2, 2026
Attack Type Ransomware Sector Retail & Consumer
Geography Europe
Threat Actor RansomHouse
Attribution A4
Confidence C

Executive Summary

On March 2, 2026, the RansomHouse ransomware group targeted Vivaticket, a central ticketing platform, causing online ticketing system failures for approximately 3,500 European museums and cultural landmarks. This attack impacted venues such as the Musée du Louvre, Musée d’Orsay, and the Eiffel Tower. Initiated via Vivaticket’s French subsidiary Irec SAS, the attackers exfiltrated visitor data before deploying encryption algorithms across the networks, forcing venues into manual paper-based ticketing queues for nearly a month.

Technical Analysis

RansomHouse executed a lateral supply chain methodology starting from a perimeter configuration hosted by a subsidiary (Irec SAS). After initial ingress targeting legacy web APIs or unpatched remote gateways, the attackers escalated privileges toward the parent network’s Active Directory core. During their dwell time, internal monitoring tools were deactivated to permit high-volume data exfiltration directed toward actor-controlled C2 servers, ending in a coordinated deployment of RansomHouse cryptography (VivaCrypt block-encryption routines).

Attack Chain

Stage 1: Perimeter Breach

Attackers infiltrated the Irec SAS infrastructure leveraging misconfigurations or legacy perimeter pathways.

Stage 2: Privilege Escalation

Active Directory configurations were mapped, with administrative tokens harvested from LSASS memory dumps.

Stage 3: Data Exfiltration

Customer logs containing partial payment indicators, addresses, and ticket histories for approximately 10-15 million European cultural site visitors were offloaded over HTTPS streams.

Stage 4: Extortion Activation

Mass encryption of primary ticket databases finalized the internal operations, triggering digital ransom notes requesting a €5.2 million payout.

Impact Assessment

The incident manifested as lines and operational paralysis across Paris and broader European touristic hubs. Approximately 850 million yearly digital tickets pass through this central infrastructure hub; the subsequent 23-day disruption impacted revenue handling capacities. European privacy entities escalated the data breach scope as millions of visitors’ geographic routing and partial payment data faced exposure risk, challenging localized GDPR structures and international auditing requirements regarding third-party vendor risk.

Attribution

RansomHouse claimed responsibility for the event on their dark web leak site. To validate their assertions, the group uploaded samples of the exfiltrated visitor registry and corporate transactional logs. The attribution confidence rests at A4 based on the self-published artifacts tying the group’s proprietary VivaCrypt tooling formats correlated by independent cybersecurity investigative bodies. French cyber authorities (ANSSI) coordinated alongside operational vendors verifying the malicious traces.

Timeline

2026-03-02 — Breach Occurs

Ransomware is deployed across the Vivaticket internal infrastructure networks causing failure across ticketing portals.

2026-03-05 — Public Disclosure

Vivaticket publicly discloses the scope of the incident affecting its partner ecosystem.

2026-03-10 — RansomHouse Claim

RansomHouse explicitly claims the breach, posting proof-of-concept datasets.

2026-03-15 — ANSSI Investigation

French cyber security agency ANSSI assumes incident investigation and recovery facilitation.

2026-03-26 — Recovery

Following environmental scrubbing, ticketing capabilities partially reactivate for marquee partner venues.

Remediation & Mitigation

Following the disruption, all parent and subsidiary operational environments were rebuilt from screened backup archives. Legacy credential hierarchies linked between parent vendors and external venues were severed and reset. Culturally critical sites are urged to distribute ticketing dependencies across parallel vendor architectures. Vendor contracts must mandate data minimization frameworks and verified incident-response SLAs ensuring off-line manual contingency systems for 30-day operating parameters.

Sources & References

ransomwareransomhouseticketingeuropelouvreanssi