What happened
Ransomware activity is rising sharply across Europe, according to new research from Ferhat Dikbiyik and cybersecurity firm Black Kite. The company tracked 684 publicly disclosed ransomware attacks across Europe during the first four months of 2026, a 55% increase from the 441 attacks recorded during the same period in 2025.
The findings suggest that Europe is becoming a more attractive target for ransomware groups after years in which the United States accounted for the majority of victims. According to Dikbiyik, attackers may be expanding into Europe due to an abundance of exposed systems, unpatched vulnerabilities, and financially attractive targets.
The resurgence also reflects a broader shift within the ransomware ecosystem. Major law enforcement operations between 2022 and 2025 disrupted several prominent ransomware groups, including LockBit, Hive, and AlphV. While these actions weakened established operations, they also created space for numerous smaller groups to emerge. Black Kite now tracks roughly 150 active ransomware groups, compared with 60 during ransomware’s peak in 2023.
Who is affected
The majority of attacks were concentrated in Europe’s largest economies. The United Kingdom, Germany, France, Italy, and Spain accounted for nearly 69% of all recorded incidents.
Several countries experienced dramatic year-over-year increases. France saw attacks rise by 119%, Italy by 92%, and Spain by 77%. Smaller countries also recorded significant growth, including Turkey, Romania, and Poland.
Manufacturing organizations were the most targeted sector, accounting for more than a quarter of attacks. Professional, scientific, and technical services firms, including digital service providers, were also heavily targeted. Attackers increasingly view these organizations as gateways to broader supply chains and downstream victims.
One notable example was the 2025 attack on Miljödata, which reportedly affected around 200 Swedish municipalities, universities, and businesses, exposing data linked to more than one million individuals.
Why CISOs should care
The report highlights a growing shift from direct attacks to supply-chain-driven ransomware campaigns. Threat actors are increasingly targeting service providers, software vendors, and critical business partners to gain access to multiple organizations through a single compromise.
According to Dikbiyik, many organizations still lack visibility beyond their immediate vendors, creating blind spots that attackers can exploit. As ransomware groups continue to target interconnected ecosystems, third-party, fourth-party, and even deeper supplier relationships are becoming critical components of cyber risk management.
For CISOs, the challenge is no longer limited to protecting internal systems. Understanding vendor dependencies and concentration risks is becoming equally important to maintaining resilience.
3 practical actions
- Inventory critical third-party vendors and identify key fourth-party dependencies.
- Prioritize security assessments for suppliers with privileged access to systems or sensitive data.
- Review vendor resilience plans, including backup, recovery, and incident response capabilities before a breach occurs.
