Cyber Incident Victim: Moscow Ropeway
Date:
Nov 2018
Location:
Russia
Summary
A ransomware attack disrupted operations of Moscow's newly opened cable car system shortly after its launch, forcing an immediate shutdown and passenger evacuation due to infected servers. The malware compromised systems operated by MKD, prompting technical investigations and removal efforts that restored normal service within days. Russian law enforcement identified the perpetrator and initiated criminal proceedings under charges related to malicious software creation and distribution. The incident caused significant service interruption but did not compromise safety systems, with authorities confirming full operational recovery following malware eradication and diagnostic checks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 28, 2018, approximately two days after its public inauguration, Moscow’s newly operational cable car system experienced a ransomware attack that disrupted operations. The incident occurred at around 14:00 local time, targeting servers operated by Moscow Ropeway (MKD), the entity responsible for managing the 700-meter infrastructure spanning the Moscow River between the Luzhniki Olympic Complex and Sparrow Hills. Attackers encrypted systems and demanded payment in Bitcoin, forcing MKD to halt service just two hours after opening that day. Passengers were instructed to disembark, with authorities citing "technical reasons" for the closure, as documented in video footage from the Rossiiskaya Gazeta. The disruption marked an immediate operational failure for the high-profile transportation project, which had been launched amid significant public attention. Local media, including The Moscow Times, confirmed the incident as a cyberattack that compelled the full shutdown of the cable car. No injuries or physical damage were reported, but the event caused visible public inconvenience, with queues forming at stations during the outage. The attack occurred during the system’s early operational phase, highlighting vulnerabilities in its digital infrastructure.
MKD technicians successfully removed the ransomware from affected systems by November 29, 2018, following a day of diagnostic checks to verify the safety of all operational components. Service fully resumed on November 30, with MKD announcing normal operations thereafter. Concurrently, Russian law enforcement agencies initiated a criminal investigation under Part 1 of Article 273 of the Russian Criminal Code, pertaining to the creation and distribution of malicious software. The Nikulinsky inter-district prosecutor’s office validated the legality of the investigation, as stated by prosecutor Lyudmila Nefedova. Authorities identified the individual responsible for the attack, though no further details regarding the suspect’s identity or motive were disclosed publicly. The incident drew parallels to a 2016 ransomware attack on San Francisco’s Municipal Railway but remained distinct in its localized impact and swift resolution. No data breaches or secondary disruptions were reported post-recovery, and the cable car continued routine operations without additional publicized cybersecurity incidents following the restoration.