Europe Evolves Into Ransomware's Favorite Region

CYBERSECURITY ANALYTICS CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE CYBERSECURITY OPERATIONS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Europe Evolves Into Ransomware's Favorite Region After a global lull, ransomware gangs are setting sights on a rich new arena: attacking EU organizations and their suppliers. Nate Nelson,Contributing Writer June 25, 2026 5 Min Read SOURCE: IMAGINIMA VIA GETTY IMAGES A specter is haunting Europe — the specter of ransomware. After a global lull in 2024 and 2025, the ransomware-as-a-service (RaaS) ecosystem appears to be back to form, at least in Europe. Researchers from Black Kite tracked 684 publicly known ransomware attacks across the continent through the first four months of 2026. That's 55% more than the 441 recorded in the first four months of 2025, even more than the 643 recorded through the first half of 2025. "Globally, the US absorbs almost half of all ransomware victims. Canada and the UK have traded second place. Europe was a step behind. Now that’s shifting," Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, tells Dark Reading. He believes that at least a couple of factors are at play.  First, an oversaturation of ransomware activity in the US is leading some to seek opportunities elsewhere. And "second, and this is my read: [Attackers'] own artificial intelligence (AI)-assisted target research is starting to point them at Europe," he says. "The stealer logs are there. The unpatched vulnerabilities are there. The money is there. Smaller countries may run weaker defenses, but the big economies offer the full package: wealth and exposure together. The question isn't why ransomware groups target the major EU powers; it's why would you not?" Related:Nordic CISOs Handle Rising Cyber Threats Remarkably Well It's getting bad, the researchers say, not just because European organizations are suffering more ransomware attacks, but also because they're suffering the consequences of attacks against their vendors. Ransomware Rings Resurge Ransomware was such a pestilence during the COVID-19 pandemic — such an inescapable, visible suck on advanced economies — that law enforcement had no choice but to mobilize and fight back. From 2022 to 2025, the mood for disrupting RaaS groups was so strong that even Russia got in on the game. US and global authorities disrupted or outright killed A-grade operations (Conti, Hive, LockBit, AlphV) and B-grade operations (Babuk, BianLian, Cactus, RansomHub, etc.), with the effect of scattering bad actors and sending them into the shadows. "Ransomware never really went away, but the major players took a hit. That created a power vacuum. What refilled the vacuum is volume," Dikbiyik explains. In 2023, ransomware's peak to date, Black Kite tracked 60 active ransomware groups. Now it tracks 150. This explains the rising volume of malicious attacks but not their distribution. European ransomware data through the first third (T1) of 2026 was heavily concentrated in certain countries, and certain industries within those countries. Related:Do Ceasefires Slow Cyberattacks? History Suggests Not In all, 68.5% of all attacks affected the largest markets: the UK, Germany, France, Italy, and Spain. This alone isn't surprising — more organizations with more money to spare will always attract more attacks. What stands out more is the sheer rise in malicious activity in these countries, considering the volume they already get every year. Italy experienced a full 92% more attacks in T1 2026 than T1 2025. In Spain, the rise was 77%. In France, 119%. Black Kite recorded even steeper rises in attacks against smaller countries: a 433% increase in Turkey, 333% in Romania, and 217% in Poland. Even so, the researchers read "no meaningful pattern" into this data — no great interest among attackers in moving toward smaller, less protected economies. Certain organizations are also more liable to be attacked than others. More than a quarter of the ransomware attacks in Europe from January 2025 through April 2026 hit the manufacturing sector, and another 17.8% hit a broad category of professional, scientific, and technical services companies, most notably digital services providers. Dikbiyik argues that in both cases — manufacturing and digital services — attackers are trying to leverage downstream supply chain risk. "Every manufacturer sits inside a larger supply chain. Disrupt a physical production line and you hand the attacker enormous leverage at the negotiating table," he says. At the same time, with computer systems companies, "These firms hold direct access to client systems and data. Breach one, and every client it serves is exposed." Related:More Than 40% of South Africans Were Scammed in 2025 Surveying Suppliers Secures Systems, Saves Shillings The epitome of what's going on here, Dikbiyik says, is the Miljödata attack of Aug. 23, 2025. In that case, by breaching one IT and HR systems provider, attackers managed to access data from around 200 downstream Swedish municipalities, plus several universities and corporations, representing more than 1 million affected individuals. If the trend toward companies being attacked via their suppliers continues, Dikbiyik suggests that organizations are going to need to do more to account for vendor risk. And not just third-party vendor risk, but fourth-, fifth-, and nth-party risk. "You can't manage what you can't see, and most companies can't see past their direct vendors. They rarely have an inventory of their fourth and fifth parties. Threat actors map those deeper connections with open source intelligence," he says. Broadly speaking, he splits third-party risk into two camps: "concentration" risk and "cascading" risk. Concentration risk is the simpler of the two: If several of your organization's vendors are exposed to the same vulnerability, or if they're all themselves connected to some other insecure vendor, then your organization has an issue that one call to one vendor can't fix. Miljödata represented a concentration risk to the Swedish government. Cascading risk occurs when a vendor is breached, and that breach leads attackers into vendor n-1, n-2, etc., until they reach your organization. ShinyHunters specializes in these sorts of cascading campaigns, including its recent round involving Oracle PeopleSoft. "So what do you do about this?" Dikbiyik asks, rhetorically. "You don’t wait for the breach notification. You go to your direct vendor, surface the dependency, and press them on it. Does that fourth party have a backup? Can they move off a concentrated provider?" In his view, "In an age where workflows automate themselves, what slows teams down isn't action. It's visibility. The companies that stay resilient in 2026 are the ones ranking vendors by risk before the breach, not after." Read more about: Europe About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed More Webinars Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS