Ransomware Attacks Surge 13% as Leak Sites Target More Victims

A significant 13% surge in ransomware attacks has impacted European organizations over the past year, with UK-based entities experiencing the highest volume of incidents according to recent threat intelligence. This troubling trend emerges from the 2025 European Threat Landscape Report by CrowdStrike, which analyzed extensive threat hunting data and intelligence sources. Between September 2024 and August 2025, data leak sites identified 1,380 European victims, marking a clear double-digit annual increase. Following the United Kingdom, the nations of Germany, Italy, France, and Spain faced the most targeting.

The manufacturing sector proved most vulnerable, followed closely by professional services, technology, industrials and engineering, and retail. Since the start of 2024, extortion leak sites have publicly listed over 2,100 victims across Europe. A staggering 92% of these incidents involved both file encryption and data theft, positioning Europe as the second-most targeted global region after North America, accounting for approximately 22% of all victims worldwide.

Among the most prolific ransomware groups, Akira and LockBit led the pack with 167 and 162 successful attacks respectively. They were trailed by RansomHub, along with the groups INC, Lynx, and Sinobi. The report emphasizes that “big-game hunting” (BGH) campaigns, where attackers deliberately pursue larger corporations, remain a persistent danger throughout Europe. This focus is partly due to the concentration of high-value enterprises in the region and is influenced by geopolitics, with Russian-affiliated groups often identified as the primary aggressors. These actors are aware that European firms are bound by strict GDPR mandates, which can be leveraged to pressure companies into paying ransoms.

CrowdStrike’s investigation also identified 260 initial access brokers who were actively marketing access to more than 1,400 compromised European organizations. Analysis of BGH groups revealed several common tactics, techniques, and procedures. These include dumping credentials from backup and restore configuration databases, remotely encrypting files, often from an unmanaged system, and executing ransomware operations outside the primary target environment. Additionally, attackers frequently used access to unmanaged systems for data exfiltration and ransomware deployment, and increasingly deployed Linux-based ransomware on VMware ESXi infrastructures.

The threat landscape is further complicated by the rise of vishing (voice phishing), a technique popularized by groups like Scattered Spider, which previously targeted major retailers. Using native speakers to enhance credibility, these social engineering attacks have seen growing success. Another concerning trend is the proliferation of CAPTCHA lures, known as “ClickFix” attacks. These typically arrive via phishing emails, malicious online advertisements, or through search engine optimization poisoning to distribute malware.

Perhaps most alarming is the emergence of Violence-as-a-Service as a credible and growing threat. Groups associated with “The Com” and Russia-based Renaissance Spider are coordinating physical acts of violence, arson, kidnappings, and extortion through Telegram-based networks. Many of these attacks are linked to cryptocurrency theft. Since January 2024, 17 such incidents have been recorded, with 13 occurring in France. A prominent example was the January 2025 kidnapping of a co-founder from Ledger, a well-known cryptocurrency wallet provider. The escalation of these violent tactics prompted Europol to establish a dedicated task force earlier this year to confront this severe and evolving danger.

(Source: Info Security)