System alert on screen showing ransomware attack

Ransomware Attack on Vivaticket Disrupts Online Bookings at European Museums and Monuments

A ransomware attack hit the online ticketing platform Vivaticket, disrupting booking services across European museums and monuments.

Vivaticket processes over 850 million tickets annually for more than 3,500 museums and monuments across 50 countries.

The March 2, 2026, attack stemmed from a security breach at Vivaticket’s subsidiary, Irec SAS, and was claimed by a Russian-speaking ransomware group.

Ransomware attack disrupts museum online bookings

The Vivaticket ransomware attack forced many museums and monuments to shut down their online booking systems and seek alternative solutions to restore normal operations.

Several museums and monuments, including Musée du Louvre, the Musée d’Orsay, the Musée du Quai Branly, Notre-Dame de Paris, the Arc de Triomphe, Musée Guimet in Paris, Parc Astérix in Oise, the Louvre-Lens in Pas-de-Calais, and the Eiffel Tower, have reported disruptions due to the ransomware attack.

Subsequently, many museums shut down their online booking systems, suffering significant financial losses within days. However, some are searching for alternative solutions, including working with third-party tourism platforms.

Meanwhile, French law enforcement authorities and the National Cyber Security Directorate (ANSSI) are investigating the ransomware attack to determine its scope and impact.

RansomHouse takes credit for the Vivaticket ransomware attack

The Russian cybercrime group RansomHouse has claimed responsibility for the Vivaticket ransomware attack and threatened to publish the stolen information on its data leak site.

“We strongly recommend that you contact us to prevent your confidential data and project documents from being disclosed,” the group warned.

It claims to have stolen personal data, including the victims’ full names, email addresses, purchase history, reservation details, country of residence, postal codes, and account metadata, including login time.

However, the attack did not expose financial details, such as credit card or bank account information. It also seems that the ransomware attack did not expose sensitive account information, such as users’ passwords. Meanwhile, efforts to notify impacted individuals are ongoing.

Although the stolen information is not particularly sensitive, it could expose victims to various online threats, including targeted phishing (spear phishing). Subsequently, they should watch out for unsolicited emails and avoid clicking on suspicious links or downloading questionable attachments.

So far, Vivaticket has not indicated whether it would negotiate with the attackers to prevent them from leaking the stolen information online. The amount of ransom the attackers demanded also remains undisclosed. RansomHouse typically demands between $250,000 – $2,000,000, with high-profile victims receiving ransom demands of up to $5 million.

While the FBI discourages ransom payment, it advises victim organizations to carefully assess the impacts of continued disruption and the risk of personal data exposure and prioritize their stakeholders’ interests. Nevertheless, ransom payment does not usually guarantee data recovery and could encourage the same cybercriminals or others to retarget the organization.

Active since December 2021, RansomHouse is a ransomware-as-a-service operation that targets critical infrastructure, including healthcare, finance, transportation, and government services.

Since its launch, the ransomware group has victimized over 100 organizations, making it one of the most prolific cybercrime gangs. Unlike other double-extortion ransomware gangs, RansomHouse typically skips the encryption step and focuses on threatening to leak the stolen information online to extort victim organizations.