The French Cybersecurity Agency (ANSSI) has confirmed the decline of known ransomware attacks in 2025, in part due to successful law enforcement operations.
The latest edition of the agency’s annual threat report, published on March 11, dives into the range of cyber threats that French public and private organizations have faced in 2025.
According to ANSSI data, there were 128 ransomware attacks reported in France in 2025, slightly fewer than the 141 such attacks recorded in 2024.
Nevertheless, the agency highlighted that ransomware compromises remained a significant threat and represent a substantial share of the over cybercriminal activity.
The report also noted that, while ANSSI’s partnering security vendors frequently warn about an uptick in encryption-less cyber extortion attacks such incidents have been limited, according to the agency’s data.
Small and medium businesses (SMBs) remained the organizations most targeted by ransomware, but public and private healthcare entities and education organizations have experienced the biggest year-over-year increase.
The most prevalent ransomware strains observed by ANSSI in 2025 were Qilin (21%), Akira (9%), and LockBit 3.0/LockBit Black (5%).
Additionally, more than a dozen strains (notably Nova, Warlock and Sinobi) were observed for the first time in 2025 in at least one incident.
ANSSI assessed that the drop in ransomware attacks is at least partly due to the successful preventive intervention of cyber defenders, including those from the French agency, and large-scale law enforcement operations.
One of the most impactful efforts was Operation Endgame, which ANSSI said disrupted a large part of the ransomware landscape and undermined trust within the cybercriminal ecosystem.
Cyber Incidents Treated by ANSSI Remain Stable
Overall, ANSSI received 3586 cyber alerts that involved the support of the agency in 2025, an 18% drop compared to 2024. However, this decline can be partly explained by a spike of signals sent to ANSSSI during the 2024 Paris Olympic and Paralympic Games.
Out of those 3586 cyber alerts, the agency reported 1366 cyber incidents where the involvement of a malicious actor was confirmed.
This is similar to the number ANSSI reported the previous year (1361 of cyber incidents in 2024), which itself was an increase from the 1112 incidents reported in 2023 and 831 in 2022.
The report also noted a significant increase in the number of incidents related to data exfiltration. However, the agency warned that claims of data exfiltration must always be considered with extra care as they often are subject to exaggeration or even lies from the cybercriminals.
For instance, out of the 460 events identified by ANSSI as possible data leaks in 2025, 42% were confirmed as being associated with actual compromises and the remainder were either false claims or “recycling” of data from previous compromises.
ANSSI also highlighted a significant drop in distributed denial-of-service (DDoS) attacks targeting French organizations in 2025.
Overlaps Between Nation-State Groups and Cybercriminals Complicate Attribution
Finally, the report emphasized the emergence of a technological and organizational fog, deliberately used as leverage by both nation-state attackers and cybercriminals, where groups from both categories increasingly share capabilities, adopt each other’s practices.
“This trend inherently complicates the attribution process, as it is associated with a division of tasks among multiple actors, each specializing in certain phases of a compromise,” the ANSSI report reads.
Vincent Strubel, ANSSI’s director general, said in the report that the series of cyber-attacks against Polish electrical infrastructure at the end of 2025 “raises the specter of the feared scenario for which France is preparing.”
“It is a central scenario in which we would face, by 2030, a massive increase in so‑called ‘hybrid’ attacks, with cyber-attacks representing a major component and having concrete or even destructive effects on our critical infrastructures,” he added. Before concluding that “yes, France has the means to counter, deter, or at least significantly complicate the work of attackers.”
