European organizations suffered a 13% increase in ransomware over the past year, with UK entities most affected, according to a new CrowdStrike report.
The security vendor’s 2025 European Threat Landscape Report is compiled from analysis of its threat intelligence and threat hunting data.
A review of data leak sites over the period September 2024-August 2025 revealed a double-digit annual increase in European victims, to 1380. After the UK, Germany, Italy, France and Spain were the most targeted nations.
The most targeted sectors were manufacturing, professional services, technology, industrials and engineering, and retail.
Since January 2024, over 2100 victims across Europe were named on extortion leak sites, with 92% involving file encryption and data theft. The region is the second-most targeted globally after North America, with around a fifth (22%) of victims.
Read more on ransomware: Ransomware Payouts Surge to $3.6m Amid Evolving Tactics
CrowdStrike claimed Akira (167) and LockBit (162) were the most successful ransomware groups over the period, followed by RansomHub (141) and INC, Lynx and Sinobi (133).
The report explained that “big-game hunting” (BGH) attacks, where threat actors deliberately target larger companies, are a persistent menace in the region.
That’s partly down to the fact that Europe contains many valuable enterprises, and partly down to geopolitics, as Russian groups are usually the aggressors, it said. They know that European firms are bound by GDPR mandates which can be used as leverage to force them into paying ransoms.
CrowdStrike observed 260 initial access brokers advertising access to over 1400 hacked European organizations.
Across the BGH groups CrowdStrike studied, the following tactics, techniques and procedures (TTPs) were highlighted as most common:
- Dumping credentials from backup/restore configuration databases
- Remotely encrypting files, executing ransomware – often from an unmanaged system – and running file encryption outside the targeted system
- Using access to unmanaged systems to steal data and deploy ransomware
- Deploying Linux ransomware on VMware ESXi infrastructure
The report also highlighted the growing threat from vishing, popularized by the notorious Scattered Spider outfit which targeted M&S and the Co-op Group, with native speakers used to improve success rates.
CAPTCHA lures, known as “ClickFix” attacks, are also on the rise, typically using phishing emails, malicious advertising (malvertising) and search engine optimization (SEO) poisoning to deliver malware.
Violence on the Rise
Violence-as-a-Service was highlighted in the report as a growing threat, with groups connected to “The Com” and Russia-based Renaissance Spider coordinating physical attacks, arson, kidnappings and extortion using Telegram-based networks.
Often these attacks are tied to theft of cryptocurrency. There have been 17 such attacks since January 2024, including those targeting individuals working in the crypto sector like Bitcoin traders. Most (13) were located in France, including the January 2025 kidnapping of the co-founder of Ledger, a crypto-wallet vendor.
The problems associated with violence-as-a-service groups have increased to the point where Europol was earlier this year forced to create a new taskforce to tackle the threat.
