Executive Summary

On February 6, 2026, BridgePay Network Solutions, a major U.S. payment gateway and solutions provider, experienced a critical outage across its payment processing infrastructure. The disruption was rapidly confirmed to be the result of a ransomware attack, leading to a nationwide service interruption that affected merchants, municipalities, and integrators reliant on BridgePay’s platform. Key services, including the BridgePay Gateway API (BridgeComm), PayGuardian Cloud API, MyBridgePay virtual terminal, hosted payment pages, and PathwayLink gateway, were rendered unavailable. Merchants and organizations across the United States were forced to revert to cash-only transactions, significantly impacting commerce and municipal operations.

BridgePay engaged federal law enforcement, including the FBI and U.S. Secret Service, as well as external forensic and recovery teams. Initial forensic analysis indicates that no payment card data was compromised and that any files accessed by the attackers were encrypted, with no evidence of usable data exposure. As of February 7, 2026, restoration efforts are ongoing, and there is no estimated time for full recovery. The specific ransomware family, initial access vector, and threat actor remain unidentified. This incident underscores the vulnerability of payment infrastructure to ransomware and the cascading effects such attacks can have on critical sectors.

Technical Information

The ransomware attack on BridgePay Network Solutions began with degraded performance on core APIs and virtual terminals, escalating to a full outage across the company’s payment gateway and related services. The attack was first detected at approximately 03:29 EST on February 6, 2026, when monitoring systems identified intermittent service disruptions affecting the Gateway.Itstgate.com virtual terminal, reporting, and API systems. By 05:48 EST, the outage had expanded, and by 06:34 EST, BridgePay confirmed the incident was cybersecurity-related. Later that day, the company publicly identified ransomware as the cause.

The attack resulted in the encryption of files across BridgePay’s systems, leading to the shutdown of core payment gateway services, APIs, and virtual terminals. The affected services included the BridgePay Gateway API (BridgeComm), PayGuardian Cloud API, MyBridgePay virtual terminal and reporting, hosted payment pages, and PathwayLink gateway and boarding portals. The breadth of the disruption caused widespread operational impacts for merchants, municipalities, and integrators, many of whom were forced to accept only cash payments.

BridgePay’s official status page and public statements confirm that the company engaged both the FBI and U.S. Secret Service, as well as specialized forensic and recovery teams, to assist with investigation, containment, and system restoration. Initial forensic findings indicate that no payment card data was compromised and that any files accessed by the attackers were encrypted. There is currently no evidence of data exfiltration or usable data exposure. The company has emphasized that the matter is being treated with the highest priority and that every available resource is being dedicated to resolving the situation safely and responsibly.

No technical indicators such as malware hashes, command-and-control infrastructure, or ransom note text have been published by BridgePay or law enforcement. The specific initial access vector—whether phishing, remote desktop protocol (RDP) compromise, or exploitation of a software vulnerability—has not been disclosed. Similarly, no attribution to a specific ransomware group or threat actor has been made, and no public claims of responsibility have been identified as of February 7, 2026.

The attack is consistent with a broader pattern of ransomware targeting payment infrastructure and critical financial services. Ransomware attacks on payment processors have increased in frequency, with similar incidents affecting other payment gateways and financial service providers in recent years. Common initial access vectors in such attacks include phishing, RDP compromise, and exploitation of unpatched vulnerabilities, but there is no evidence to confirm any of these in the BridgePay case.

Mapping the incident to the MITRE ATT&CK framework, the following techniques are relevant based on available evidence:

Data Encrypted for Impact (T1486): Ransomware encrypted files across BridgePay’s systems, causing widespread service disruption.Service Stop (T1489): The attack resulted in the shutdown of core payment gateway services, APIs, and virtual terminals.Inhibit System Recovery (T1490): While ransomware attacks often attempt to inhibit system recovery by deleting backups or shadow copies, no evidence of this was disclosed in the BridgePay case.Initial Access: The specific method remains unknown due to lack of disclosure.

No evidence of command-and-control activity, lateral movement, or data exfiltration has been disclosed. The absence of technical artifacts and public claims limits the ability to attribute the attack to a specific group or malware family.

Affected Versions & Timeline

The incident affected all production systems and services provided by BridgePay Network Solutions as of February 6, 2026. The impacted services included the BridgePay Gateway API (BridgeComm), PayGuardian Cloud API, MyBridgePay virtual terminal and reporting, hosted payment pages, and PathwayLink gateway and boarding portals. The outage was nationwide, impacting merchants, municipalities, and integrators across the United States.

The timeline of the incident is as follows:

At 03:29 EST on February 6, 2026, BridgePay’s network monitoring detected intermittent service disruptions affecting the Gateway.Itstgate.com virtual terminal, reporting, and API systems. By 05:48 EST, the outage had expanded, and by 06:34 EST, BridgePay confirmed the incident was cybersecurity-related. At 12:00 EST, the company reported that all systems were temporarily unavailable and that federal law enforcement and external forensic teams had been engaged. By 19:08 EST, BridgePay confirmed that the incident was the result of a ransomware attack. As of 16:14 EST on February 7, 2026, restoration efforts were ongoing, with no estimated time for full recovery.

Throughout the incident, BridgePay provided regular updates via its official status page, emphasizing transparency and ongoing forensic analysis. The company reiterated that no payment card data had been compromised and that any files accessed were encrypted.

Threat Activity

The ransomware attack on BridgePay Network Solutions resulted in the encryption of files and the shutdown of core payment gateway services, APIs, and virtual terminals. The attack caused a nationwide outage of payment processing for merchants, municipalities, and integrators, forcing many to revert to cash-only transactions and disrupting commerce. Impacted sectors included retail, municipal government, and utilities, all reliant on BridgePay’s payment gateway services.

No evidence of data exfiltration or payment card data compromise has been found as of the latest forensic analysis. The attack fits a broader pattern of ransomware targeting payment infrastructure and critical financial services, but no direct links to known groups have been established for this incident. The specific ransomware family, initial access vector, and threat actor remain unidentified.

The attack is mapped to the following MITRE ATT&CK techniques based on available evidence: Data Encrypted for Impact (T1486) and Service Stop (T1489). There is no evidence of command-and-control activity, lateral movement, or data exfiltration. The absence of technical artifacts and public claims limits the ability to attribute the attack to a specific group or malware family.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations using BridgePay services should immediately review their payment processing contingency plans and ensure the ability to revert to alternate payment methods, such as cash or manual processing, in the event of a service outage. It is essential to maintain clear communication with customers and stakeholders regarding service disruptions and available payment options.

High: All organizations should review and update their incident response and business continuity plans to address ransomware scenarios affecting third-party payment processors. This includes ensuring that backup and recovery procedures are robust, regularly tested, and isolated from production systems to prevent ransomware propagation.

Medium: Organizations should monitor official BridgePay communications and status updates for the latest information on service restoration and forensic findings. It is important to stay informed about any new developments or advisories issued by BridgePay or law enforcement.

Low: Organizations should review their third-party risk management practices to ensure that critical service providers, such as payment processors, are regularly assessed for cybersecurity posture and incident response capabilities.

At this time, there is no evidence of a threat or vulnerability for BridgePay integrators or customers beyond the service outage itself. No specific technical indicators or malware signatures have been published that would enable proactive detection or blocking of the ransomware used in this incident.

References

https://www.bleepingcomputer.com/news/security/payments-platform-bridgepay-confirms-ransomware-attack-behind-outage/ https://status.bridgepaynetwork.com/ https://www.hendryadrian.com/payments-platform-bridgepay-confirms-ransomware-attack-behind-outage/ https://cybersecuritynews.com/bridgepay-ransomware-attack/ https://www.ctrlaltnod.com/news/bridgepay-ransomware-attack-forces-merchants-nationwide-to-cash-only/ https://attack.mitre.org/techniques/T1486/ https://attack.mitre.org/techniques/T1489/ https://attack.mitre.org/techniques/T1490/ https://blog.scilabs.mx/en/2024/08/08/main-initial-access-vectors-in-ransomware-attacks/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor the cybersecurity posture of their critical vendors and service providers. Our platform enables continuous risk assessment, supports incident response planning, and facilitates communication with vendors during security incidents. For questions regarding this incident or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.