The widespread disruptions at airports across Europe that started over the weekend and spilled into Monday was the result of a ransomware attacks, according to the European Union’s cybersecurity agency.

The agency, ENISA, told Reuters that “the type of ransomware has been identified, and law enforcement is investigating.” It didn’t go into details about the ransomware itself or the possible bad actors behind it.

The attackers targeted a software system from Collins Aerospace called MUSE that some airports use for an array of traveler activities, from checking in to boarding to printing bag tags. The incident disrupted operations in several airports, including Berlin’s Brandenburg, London’s Heathrow, and Brussels Airport in Belgium.

The airports had to use backup systems, which caused flight cancellations and delays. The airports in Germany and England reported an easing of issues, though there were still some cancellations and delays. The BBC reported that some airlines in Berlin were still using manual boarding processes while Brussels Airport officials said they were still working on problems and were unsure when everything would be corrected.

Meanwhile, Collins Aerospace, which is owned by RTX (formerly Raytheon Technologies) said it is working with the airports and that it was completing updates to its software.

No Attribution Yet

The attack has not been attributed to a particular ransomware group, but an unconfirmed report in the Belgian media suggested Locky Locker, according to Edward Lewis, co-founder and CEO of cyber consultancy CyXcel and director of the Cyber Monitoring Centre in London. The ransomware, which is spread though phishing emails and malicious attachments, emerged in 2016 but has been relatively quiet over the past several years.

Santiago Pontiroli, lead security researcher at Acronis, said the “tactics align with a broader pattern we have seen from groups like Scattered Spider, where the goal is maximum disruption by compromising a central service provider instead of targeting each organization separately.”

Scattered Spider is a group of mostly young English-speaking people that has used ransomware to attack a number of industries over the past several years. Earlier this year, the group – which had already focused on the retail and insurance sectors – turned its attention to the aviation and transportation industry.

Scattered Spider and Aviation

The FBI in late June warned in a post on X about the group expanding its targeting to include the aviation industry. Charles Carmakal, CTO and board advisor at Google-owned Mandiant, said in a LinkedIn post at the time that Mandiant was “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.”

Hawaiian Airlines and WestJet in Canada reported cyberattacks over the summer that were believed to have been launched by Scattered Spider.

The incidents came months after the Foundation for Defense of Democracies issued a report in April questioning whether the aging technologies used in the U.S. aviation industry and increasingly connection nature of the business made it increasingly susceptible to cyberattacks.

Critical Infrastructure at Risk

The attack on the airports through Collins’ software and the resulting disruption of services is the latest example of threat actors targeting critical infrastructure through the supply chain, according to CyXcel’s Lewis.

“This disruption shows how fragile critical infrastructure can be when third-party suppliers are hit,” he said. “Airports invest heavily in their own defenses, but if shared technology is compromised, the impact ripples across multiple sites. Manual workarounds buy time, but they’re slow, prone to mistakes, and frustrate passengers.”

It also illustrates how broad the impact of one supplier’s weakness can be, Lewis said, adding that “it’s a stark reminder that efficiency has raced ahead of security, and it is passengers who pay the price. Too often, efficiency and cost savings drive technology choices while security is treated as secondary. Incidents like this prove that equation is no longer sustainable.”

Bugcrowd CEO David Gerry said the attack “highlights a growing concern that critical infrastructure is a soft target for cyber criminals. Whether nation-state actors looking to influence national interests or a criminal organization looking to cause mass panic and chaos, disruptions to services leveraged by millions represent a growing threat.”

In such an “ultra-connected world,” the private sector as well as local and federal authorities need to prioritize the reliability and safety of the grid,” Gerry said.

More Than Disruption

Acronis’ Pontiroli said that concerns about the ransomware attack over the weekend go beyond the disruption it caused.

“The unanswered question is whether data was stolen,” he said. “Modern ransomware groups often use double or even triple extortion, combining system outages with data leaks and threats of public exposure. If passenger records, operational data, or airline business systems were exfiltrated, the fallout could extend well beyond delays into fraud, identity theft, and regulatory penalties.”

Thae attack was more than a ransomware case, Pontiroli said.

“It was a supply-chain breakdown with continent-wide consequences. A single vendor breach disrupted airport operations across Europe, exposing how fragile critical infrastructure can be when reliant on shared providers.”