Ransomware gangs exploit Europe’s weak third-party vendors
▼ Summary
– Ransomware attacks against European organizations increased 55.1% from January–April 2026 compared to the same period in 2025, with Germany, the UK, France, Italy, and Spain accounting for nearly 70% of incidents.
– Manufacturing was the hardest-hit sector, making up 27.9% of ransomware incidents, while IT services were a primary target due to the potential to affect many downstream customers.
– Third-party compromises are a major entry point, with 64 organizations breached through suppliers; one software provider breach exposed data of over one million people.
– The Qilin ransomware group had the widest geographic reach, operating in 26 of the 31 European countries analyzed.
– European regulations like NIS2 and DORA now require organizations to assess, monitor, and manage supplier cyber risks as part of operational resilience.
Ransomware attacks against European organizations surged in early 2026, with third-party vendors emerging as the primary gateway for cybercriminals. Black Kite’s 2026 European Cyber Risk Report analyzed 2,066 ransomware incidents across 31 countries from January 2025 to April 2026, revealing a troubling trend: attackers are increasingly bypassing direct targets to exploit weaker links in the supply chain.
“Three forces are converging on European organisations at once: ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third-party risk,” said Dr. Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite.
Publicly disclosed incidents jumped 55.1% between January and April 2026 compared to the same period in 2025. The average monthly attack count climbed from 108 in the first half of 2025 to 171 during the first four months of 2026. Germany recorded the highest number of attacks, followed by the UK, France, Italy, and Spain. Together, these five nations accounted for nearly 70% of all documented ransomware incidents.
Manufacturing bore the brunt of the assault, representing 27.9% of all publicly disclosed cases. IT services ranked as the most targeted subindustry because compromising a single provider can unlock access to multiple downstream customers. Professional services, healthcare, retail, and transportation also remained frequent targets as cybercriminals increasingly focused on organizations with broad digital connections and high operational impact.
The Qilin ransomware group demonstrated the widest geographic reach, operating in 26 of the 31 countries analyzed. Instead of attacking organizations head-on, cybercriminals now target suppliers and service providers to maximize their return on a single breach. The report identified 64 organizations compromised through third-party incidents. In one case, a breach at a software provider affected dozens of downstream organizations and exposed the personal data of more than one million people, illustrating how a single supplier can trigger widespread disruption.
European cybersecurity regulations are reinforcing this shift. Frameworks such as NIS2 and DORA now require organizations to assess, monitor, and manage supplier cyber risk as part of operational resilience programs. Companies must demonstrate they understand how supplier vulnerabilities could affect their operations and have processes in place to identify, assess, and mitigate those risks.
Dikbiyik noted that some of Europe’s most significant ransomware incidents were defined by their downstream impact across interconnected organizations. He added that NIS2 and DORA were increasing pressure on organizations to better understand cyber risk across their supplier ecosystems and identify where risk is concentrated. The message is clear: in today’s threat landscape, your security is only as strong as your weakest vendor.
(Source: Help Net Security)
