AI-Driven Ransomware and Extortion Surge in Europe
European organizations are experiencing a significant increase in ransomware and extortion attacks, with threat actors leveraging artificial intelligence to accelerate and enhance their operations. According to CrowdStrike’s 2025 European Threat Landscape Report, Europe now accounts for nearly 22% of global ransomware and extortion victims, making it the second most targeted region after North America. AI is enabling adversaries to breach networks and deploy ransomware more quickly, with groups like SCATTERED SPIDER reducing their attack cycle to approximately 24 hours. The most targeted countries include the United Kingdom, Germany, France, Italy, and Spain, and affected sectors span manufacturing, professional services, technology, and retail. Attackers are also employing advanced social engineering tactics, such as fake CAPTCHA lures, to compromise victims.
The report also highlights a rise in hacktivism and nation-state cyber operations, particularly from Russian and North Korean actors, amid ongoing geopolitical tensions. Russian threat actors have shifted focus toward Ukraine and related regions since the 2022 invasion, while North Korea is reportedly supporting Russian operations and targeting Ukraine. The European threat landscape is described as increasingly complex, with eCrime, espionage, and disruptive attacks posing significant risks to both public and private sector organizations. Security teams are urged to adapt to the evolving threat environment, where AI-driven automation and deception are reshaping the speed and scale of cyberattacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CrowdStrike details intensified nation-state cyber activity in Europe
The report identified heightened operations by Russia-, China-, Iran-, and North Korea-linked actors in Europe, including groups tied to the Ukraine conflict and named clusters such as Pulsar Kitten, Haywire Kitten, Vertigo Panda, Vixen Panda, and Velvet Chollima.
Report warns AI is accelerating ransomware operations in Europe
CrowdStrike said AI is helping cybercriminals speed up intrusions, ransomware deployment, and social engineering, citing tactics such as fake CAPTCHA lures and activity associated with groups like SCATTERED SPIDER.
CrowdStrike publishes its 2025 European Threat Landscape Report
CrowdStrike released its 2025 European Threat Landscape Report, describing a rise in extortion and ransomware across Europe, increased nation-state activity, and elevated risk in countries such as the U.K., Germany, Italy, France, and Spain.
Europe records more than 2,100 ransomware and extortion victims
From January 2024 onward, Europe accounted for nearly 22% of global ransomware and extortion victims, with more than 2,100 incidents affecting sectors including manufacturing, professional services, technology, and retail.
Russia's 2022 invasion of Ukraine reshapes Russian cyber targeting
Since Russia's 2022 invasion of Ukraine, Russian threat actors shifted more of their cyber focus toward Ukraine and conflict-related targets, according to CrowdStrike's later assessment of the European threat landscape.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Escalation of Ransomware and Extortion Attacks Targeting European Organizations
European organizations are facing a surge in ransomware and data extortion attacks, with financially motivated eCrime groups and nation-state actors intensifying their operations across the region. According to CrowdStrike, nearly 22% of global victims named on dedicated leak sites are based in Europe, with the United Kingdom, Germany, Italy, France, and Spain being the most targeted countries. Key sectors under attack include manufacturing, professional services, technology, industrials, engineering, and retail. The rise in big game hunting (BGH) activity is attributed to the high value of European companies, political motives, and adversaries' adaptation to legal pressures such as the EU’s General Data Protection Regulation (GDPR). Recent high-profile incidents underscore the universal nature of cyber risk, affecting organizations of all sizes and sectors. Notable breaches include attacks on Marks & Spencer, Jaguar Land Rover, the British Library, Royal Mail, British Airways, easyJet, and several major European airports, the latter resulting from a compromise of a third-party service provider. These events highlight the interconnectedness of modern operations and the cascading impact of supply chain vulnerabilities. The evolving threat landscape demonstrates that no business is immune, and organizations must prioritize proactive cybersecurity measures to mitigate the growing risk of ransomware and extortion campaigns.
Mar 21, 2026
AI and Automation Accelerate Ransomware Operations and Intrusion Speed
Recent reporting and threat research indicate **AI and automation are materially compressing attacker timelines**, reducing defenders’ opportunity to detect and contain intrusions. A ReliaQuest analysis cited by SC Media found **lateral movement can occur in as little as four minutes** (with average lateral movement time dropping from 48 to 34 minutes), and **data exfiltration** in the fastest cases falling to **six minutes** (down from more than four hours previously). The same reporting notes **80% of ransomware groups** are leveraging AI and/or automation for data theft, and highlights **BoaLoader** as an example of converged AI-assisted development, social engineering, and traditional cybercrime activity. Separate ransomware telemetry from NCC Group shows overall **publicly disclosed ransomware incidents** dipped month-over-month in January but remained broadly consistent year-over-year (741 vs. 696), with **North America** accounting for **54%** of activity and **industrials** the most targeted sector (32%). The report identified **Qilin** as the most active group (108 cases), followed by **Akira** and **Sinobi**, and warned that attacker tradecraft is expanding to new initial access paths, including **messaging platforms** (e.g., WhatsApp, Signal, Telegram) via device-linking scams and malicious QR codes. ASEC’s weekly “Ransom & Dark Web Issues” roundup provides additional context on ongoing ransomware and hacktivist activity (e.g., **Morpheus** targeting a South Korean plating company and **Ailock** republishing prior victims), but it is not clearly tied to the same specific datasets or findings on AI-driven acceleration described in the other reporting.
Mar 21, 2026
AI-Driven Phishing and Social Engineering Threats Escalate in Europe and Beyond
Phishing remains the dominant initial access vector for cyberattacks across Europe, accounting for 60% of incidents between July 2024 and June 2025, as reported by the European Union Agency for Cybersecurity (ENISA). The proliferation of Phishing-as-a-Service (PhaaS) platforms, such as Whisper 2FA, has enabled attackers to automate and scale their operations, targeting a wide range of brands including Microsoft 365, Adobe, and DocuSign. These kits now incorporate advanced features like AJAX-based real-time credential and multi-factor authentication code capture, dense encoding, anti-debugging, and browser freezing to evade detection and analysis. ENISA highlights that AI tools have fundamentally reshaped the threat landscape, with large language models (LLMs) being leveraged to enhance phishing campaigns and automate social engineering, resulting in AI-supported phishing representing over 80% of observed social engineering activity worldwide by early 2025. The report also notes a significant rise in attacks targeting the AI supply chain, with adversaries corrupting components used in AI development and deployment. The sophistication of phishing attacks is further demonstrated by the integration of AI-generated lures, deepfakes, and synthetic media, which are increasingly used in vishing, impersonation, and fraud schemes. The use of AI has not only increased the volume and success rate of phishing campaigns but has also introduced new risks, as AI systems themselves become targets for exploitation. Supply chain attacks have intensified, with threat actors abusing critical digital dependencies to maximize impact, often by targeting customers of compromised organizations. The evolution of phishing tactics is also evident in the widespread adoption of clickbait scams, which use sensationalized headlines and engaging visuals to lure victims into revealing sensitive information or installing malware. Despite increased awareness and training, organizations continue to struggle with the effectiveness of phishing prevention, as attackers adapt their methods to bypass traditional defenses. The ENISA Threat Landscape 2025 report underscores the urgent need for organizations to update their security frameworks, enhance identity and access management, and adopt advanced detection and response strategies to counter the growing threat posed by AI-driven phishing and social engineering attacks. The convergence of AI, automation, and supply chain vulnerabilities has created a complex and rapidly evolving threat environment that demands continuous vigilance and innovation in cybersecurity practices.
Mar 21, 2026