ctipilot.ch
← Back to the live brief
NOTABLENATOB2incident

TheGentlemen ransomware hits Portugal's Metro Mondego (Coimbra light-rail); operator confirms attack, notifies CNCS and CNPD

discovered 2026-07-18 04:35 UTCrun 2026-07-18T0409Z-intel2 sourcesmulti-source

Metro Mondego — the public operator of the Metrobus light-rail line between Lousã and Coimbra, Portugal — announced on 2026-07-17 that it was hit by a ransomware attack on 6 July that affected "part of its internal systems" without compromising the transport service ("um ataque informático a 6 de Julho que afectou 'parte dos seus sistemas internos', mas sem comprometer a operação do serviço de transporte") (Campeão das Províncias, 2026-07-17). The operator confirms it activated incident-response procedures with external cybersecurity experts and notified the competent authorities — Portugal's National Cybersecurity Centre (CNCS), the National Data Protection Commission (CNPD) and criminal-investigation authorities — and that its investigation is examining whether the attackers copied data from the affected internal systems; it cannot yet determine whether any personal data of passengers, employees or suppliers is involved, but states passenger payment data was not affected (Campeão das Províncias, 2026-07-17). The attack was claimed by the ransomware-and-extortion group TheGentlemen (Microsoft: Storm-2697; registry-tracked), which posted that it extracted confidential documentation and threatened to publish absent payment (TugaTech, 2026-07-16).

A Metro Mondego anunciou esta sexta-feira que foi alvo de um ataque informático a 6 de Julho que afectou “parte dos seus sistemas internos”, mas sem comprometer a operação do serviço de transporte.

Campeão das Províncias

A ação foi reivindicada pelo grupo de cibercriminosos Thegentlemen, que afirma ter conseguido extrair documentação confidencial

TugaTech 2026-07-16

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Exfiltration TA0010
T1567Exfiltration Over Web Service

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

overlap matrix · ATT&CK page ↗

Impact TA0040
T1486Data Encrypted for Impact

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.