Escalation of Ransomware and Extortion Attacks Targeting European Organizations
European organizations are facing a surge in ransomware and data extortion attacks, with financially motivated eCrime groups and nation-state actors intensifying their operations across the region. According to CrowdStrike, nearly 22% of global victims named on dedicated leak sites are based in Europe, with the United Kingdom, Germany, Italy, France, and Spain being the most targeted countries. Key sectors under attack include manufacturing, professional services, technology, industrials, engineering, and retail. The rise in big game hunting (BGH) activity is attributed to the high value of European companies, political motives, and adversaries' adaptation to legal pressures such as the EU’s General Data Protection Regulation (GDPR).
Recent high-profile incidents underscore the universal nature of cyber risk, affecting organizations of all sizes and sectors. Notable breaches include attacks on Marks & Spencer, Jaguar Land Rover, the British Library, Royal Mail, British Airways, easyJet, and several major European airports, the latter resulting from a compromise of a third-party service provider. These events highlight the interconnectedness of modern operations and the cascading impact of supply chain vulnerabilities. The evolving threat landscape demonstrates that no business is immune, and organizations must prioritize proactive cybersecurity measures to mitigate the growing risk of ransomware and extortion campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CrowdStrike publishes 2025 European Threat Landscape Report highlights
CrowdStrike published key findings from its 2025 European Threat Landscape Report, stating that extortion and big game hunting ransomware activity had risen across Europe. The report summarized increased pressure from both eCrime groups and nation-state actors.
Cybercriminals increase use of new social engineering techniques in Europe
During 2024 and into 2025, cybercriminals targeting Europe increasingly used online marketplaces and social engineering methods such as voice phishing and fake CAPTCHA pages. These tactics were highlighted as part of the evolving threat landscape affecting European organizations.
State-sponsored actors expand cyber operations across Europe
During 2024 and into 2025, state-sponsored actors linked to Russia, China, North Korea, and Iran expanded operations in Europe. Their activity included espionage, destructive attacks, and financially motivated campaigns tied to broader geopolitical conflicts.
Data leak sites name about 2,100 Europe-based victims since January 2024
CrowdStrike reported that since January 2024, approximately 2,100 Europe-based victims have been listed across more than 100 data leak sites. The UK, Germany, Italy, France, and Spain were identified as the most targeted countries, with manufacturing, technology, and retail among the most affected sectors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Driven Ransomware and Extortion Surge in Europe
European organizations are experiencing a significant increase in ransomware and extortion attacks, with threat actors leveraging artificial intelligence to accelerate and enhance their operations. According to CrowdStrike’s 2025 European Threat Landscape Report, Europe now accounts for nearly 22% of global ransomware and extortion victims, making it the second most targeted region after North America. AI is enabling adversaries to breach networks and deploy ransomware more quickly, with groups like SCATTERED SPIDER reducing their attack cycle to approximately 24 hours. The most targeted countries include the United Kingdom, Germany, France, Italy, and Spain, and affected sectors span manufacturing, professional services, technology, and retail. Attackers are also employing advanced social engineering tactics, such as fake CAPTCHA lures, to compromise victims. The report also highlights a rise in hacktivism and nation-state cyber operations, particularly from Russian and North Korean actors, amid ongoing geopolitical tensions. Russian threat actors have shifted focus toward Ukraine and related regions since the 2022 invasion, while North Korea is reportedly supporting Russian operations and targeting Ukraine. The European threat landscape is described as increasingly complex, with eCrime, espionage, and disruptive attacks posing significant risks to both public and private sector organizations. Security teams are urged to adapt to the evolving threat environment, where AI-driven automation and deception are reshaping the speed and scale of cyberattacks.
Mar 21, 2026
Global Surge in Ransomware Attacks and Their Impact on Organizations
Ransomware attacks have reached unprecedented levels globally, with the third quarter of 2025 witnessing a 36% year-over-year increase in publicly disclosed incidents, according to BlackFog’s latest report. The total number of ransomware attacks reported in this period climbed to 270, marking a 335% rise since Q3 2020. These attacks have caused significant operational disruptions across various sectors, including airlines, automotive manufacturers, governments, and organizations in 93 countries. Notable incidents include grounded aircraft, stranded passengers, and manufacturers such as Jaguar Land Rover being forced to halt production, with some operations only recently resuming after prolonged outages. The impact of ransomware extends beyond large enterprises, severely affecting small businesses that often lack the resources and security infrastructure to defend against such threats. Many small business owners have reported devastating financial consequences, with some losing nearly all their savings and seeing their businesses shrink dramatically. The attack on the UK nursery chain Kido in September 2025 highlighted the evolving tactics of ransomware groups, as sensitive data on children, parents, and carers was exfiltrated, raising concerns about the targeting of vulnerable sectors. Ransomware operators are increasingly indiscriminate, targeting organizations of all sizes and types, and seeking leverage through data theft and extortion. The psychological and financial toll on victims is profound, with individuals and organizations facing long-term recovery challenges. Research indicates that small businesses are particularly vulnerable, often lacking dedicated IT security staff, legal support, or sufficient cash reserves to weather the aftermath of an attack. The stress and adversity experienced by victims underscore the need for robust data protection and incident response strategies. Experts emphasize that the best defense is to make it as difficult as possible for cybercriminals to succeed, focusing on data protection to reduce the incentive for extortion. The continued upward trend in ransomware volumes signals an urgent need for organizations to reassess their security postures and invest in preventive measures. The widespread and lasting impact of these attacks demonstrates that ransomware remains one of the most significant threats to global business continuity and data security. Organizations are urged to prioritize anti-data exfiltration technologies and comprehensive incident response planning. The evolving threat landscape requires constant vigilance and adaptation to new attacker tactics. The experiences of both large enterprises and small businesses illustrate the far-reaching consequences of ransomware, from operational shutdowns to personal financial ruin. As attackers become more aggressive and sophisticated, the imperative for proactive defense and resilience has never been greater.
Mar 21, 2026
Nation-State and Hacktivist Cyber Threats Targeting Europe
European organizations are facing a surge in cyberattacks driven by nation-state actors, financially motivated cybercriminals, and hacktivist groups. According to assessments from cybersecurity experts, many of these attacks are linked to ongoing geopolitical tensions, particularly Russia's invasion of Ukraine, and increasingly involve coordinated operations with North Korea. The tactics used include distributed denial-of-service (DDoS) disruptions, website defacements, and data leak campaigns, often with the primary goal of propaganda or strategic intelligence collection. Other persistent threat actors include groups from Iran, China, Turkey, Kazakhstan, and India, who target European entities for motives ranging from intellectual property theft to financial gain. The spillover from conflicts in the Middle East has also led to increased cyber activity against European organizations, especially those tied to Israel or Western military operations. Key sectors under threat include financial services, transportation, and non-governmental organizations. Experts warn that adversaries are seeking new ways to compromise identity and cloud infrastructure, reflecting a broader trend of evolving cyber operations shaped by global political developments.
Mar 21, 2026