Ransomware is hitting European businesses harder than ever. As of July 2025, there have already been 921 reported attacks across the continent. If this pace continues, the total could exceed 1,746 by the end of the year, setting a new and alarming record.
This is more than just a worrying number. It reflects a growing, well-organized threat that demands immediate attention from both business leaders and IT teams.
The latest findings highlight which industries are being targeted most, how attacker strategies are changing, and what steps companies should take to strengthen their defenses.
This in-depth report covers ransomware activity in Europe from 2023 through 2025. All data presented was gathered up to July 22, 2025. It offers crucial insights into attack trends, the tactics cybercriminals are using, and which sectors face the greatest risks. Understanding these patterns is essential for building stronger protection before the next wave hits.
It’s important to note that the data in this report reflects only publicly reported ransomware attacks. Many incidents likely go unreported due to reputational concerns or legal implications. What you will see in this report is just the visible part of a much larger problem.
Key Takeaways
- Ransomware attacks in Europe are rising dramatically. In 2025, they are expected to exceed 1,746, breaking all records.
- The industrial sector is the hardest hit, as even the slightest downtime can result in massive costs.
- Attackers are targeting industries with sensitive data and heavy reliance on technology, such as healthcare, technology, and retail.
- The ransomware group “LockBit3” is losing its leading position, with new players like Akira and Qilin taking over.
- 2025 sees an increase in “double extortion” attacks, where data is stolen and its public disclosure is threatened.
Our Research Featured in:
The Escalation of Europe’s Alarming Ransomware Trajectory
The numbers tell a troubling story. In 2023, there were 713 reported cases. By 2024, that number jumped to 1,288 – an increase of more than 80%. And by July 2025, 921 attacks had already been recorded. If things continue like this, 2025 could become the most dangerous year yet. This isn’t just a short-term spike. It’s a clear sign that ransomware threats are growing stronger and becoming more frequent, and businesses can’t afford to ignore them.
This steady rise is not a one-off spike. It is part of a much larger shift. The jump from 2023 to 2024 was just the beginning. What we are seeing now is a sustained and aggressive escalation. The threat is not just growing. It is changing fast, and organizations across every sector need to take it seriously.
From leadership teams to IT security, this is a call to act. Not later, but now.
Number of Companies Hit by Ransomware per Year in Europe:
| 2023 | 713 |
| 2024 | 1288 |
| 2025 | 1746 (estimate by EOY – 921 up to 22th of July 25’) |
Who is Being Hit Hardest? Industry Vulnerabilities Revealed
It is not just about who is launching the attacks. To fully understand the ransomware threat, we also need to look at who is being targeted. Our data clearly shows that certain industries in Europe are hit again and again. These are not random choices. Attackers are selecting their victims carefully, focusing on sectors where disruption is costly and recovery is difficult.
The patterns reveal that some industries are far more vulnerable due to their reliance on digital systems, the sensitivity of their data, or the pressure they face to resume operations quickly. By identifying these high-risk sectors, organizations can better assess their exposure and strengthen their defenses where it matters most.
2023-2025 Insights: Manufacturing Takes the Hardest Hit
From 2023 to mid-2025, ransomware attacks have consistently concentrated on sectors that drive economic activity and handle critical data, with Manufacturing holding the top spot and steadily rising from 26.92% to 28.79% of victims.
Technology has remained a close second, climbing from 10.3% to 11.72%, while Healthcare has surged to 8.97%, reflecting its growing appeal to attackers seeking sensitive patient information. Retail, along with other essential industries such as hospitality and transportation, continues to face persistent threats, underscoring the high operational value and disruptive potential of these targets.
Why Certain Industries Are Frequent Targets of Ransomware
Ransomware attackers do not pick their victims at random. They focus on specific industries for several key reasons:
Persistent Targeting of Manufacturing
Manufacturing is the top-targeted industry each year:
High Impact from Operational Disruption
Industries like Manufacturing, Transportation, and Construction, which make up 5 to 7 percent of attacks, cannot afford long downtimes. Production lines, strict schedules, and supply chain needs mean any disruption directly affects their physical goods and services. This pressure makes these companies more likely to pay the ransom quickly.
Valuable Data and Heavy IT Dependence
Sectors such as Technology, Healthcare, and Retail handle large amounts of sensitive digital information. These industries depend heavily on their IT systems, so disruptions or data breaches can cause major data leaks, damage to reputation, and regulatory penalties. This often forces companies to negotiate with attackers to regain access.
Growing Threat to Technology and Healthcare
Both Technology and Healthcare are targeted at high and rising levels:
These industries are data-rich and deeply dependent on IT systems. Attacks here are likely to involve data exfiltration and threats to release sensitive information, increasing pressure to pay.
Critical Public Services
Government, Legal, and Healthcare sectors, each accounting for about 4 to 6 percent of attacks, manage vital public infrastructure and citizen records. They face strong public demand to restore services quickly, making them prime targets for extortion. Attacks also occur in Energy and Finance, although less frequently, likely due to stronger security and regulations. Still, their presence shows attackers’ interest in critical infrastructure.
Ransomware groups act like predators targeting “high-value prey”: organizations with strong IT reliance, financial resources, and limited ability to recover quickly. This explains why the same industries are targeted year after year.
Who’s Behind the Attacks?
To fight ransomware effectively, we need to understand who is behind it. Our analysis shows a constantly changing group of ransomware operators targeting Europe. Some have been active for years, while others are new but growing quickly. Together, they paint a picture of a threat that is both persistent and evolving.
Top Ransomware Groups in 2023
2023: LockBit3 Leads a Wide Range of Threats
In 2023, LockBit3 was the most active ransomware group in Europe, responsible for 26.74 percent of all known attacks. Other major groups included Play with 13.65% and ALPHV with 7.94%. Smaller or less consistent groups made up a significant part of the picture as well. The “Other” category alone accounted for 16.71%, showing that the threat came from a wide and varied set of actors.
Top Ransomware Groups in 2024
2024: A Shift in Power and a More Fragmented Landscape
In 2024, LockBit3 was still active but its share dropped to 11.75 percent, possibly due to law enforcement pressure or changes within the group. New names emerged, most notably RansomHub, which quickly rose to 11.36 percent. Other active groups included 8Base at 5.64 percent, Akira at 4.48 percent, and BlackBasta at 4.4 percent.
What stood out most was the sharp rise in activity from smaller or newer groups. The “Other” category jumped to 35.39%, showing that the threat environment had become more scattered and unpredictable.
Top Ransomware Groups in 2025
2025 (Mid-Year): A Major Shift in the Ransomware Landscape
The first half of 2025 shows a major change in the ransomware threat landscape. LockBit3, once a leading group, is no longer among the top 14. In its place, Akira has taken the lead with 11.33% of attacks. Qilin follows with 9.06%, and SafePay has quickly risen to 8.41%.
Smaller and emerging groups continue to play a large role. The “Other” category remains high at 35.38%, making it clear that many lesser-known or short-lived groups are still active. This constant reshuffling shows how fast ransomware groups can change, often rebranding or being replaced by new players.
Analysis of Attacker Evolution
Over the past three years, ransomware activity has shown clear signs of constant change and reorganization. LockBit3’s rise and fall are a key example. It went from being the most dominant group to completely disappearing from the top ranks in 2025. This shift may be the result of internal changes or actions taken by law enforcement.
At the same time, the steady presence of the “Other” category highlights just how many smaller or short-lived groups are active each year. These groups may not be well known, but together they make up a large share of total attacks. This makes it much harder for organizations to stay ahead of every possible threat.
Final Forecast for 2025 – Ransomware Attacks in Europe (Updated Outlook)
Our latest data analysis, which includes victim counts from January 2023 to July 2025, shows that ransomware attacks in Europe are likely to reach around 1,746 cases by the end of 2025. This would make it the most active year on record, with more incidents than both 2023 and 2024.
The most affected industries continue to be Manufacturing, Technology, and Healthcare, which together make up the largest share of victims. These sectors are often targeted because they depend heavily on digital systems, store valuable data, and may lack strong security across the board. Other frequently hit sectors include Retail, Finance, and Education.
In terms of attackers, familiar names like LockBit3, Medusa, and 8Base remain active. But 2025 has also seen the rise of newer groups such as DragonForce, Nightspire, and Sarcoma, pointing to a more fragmented and fast-changing threat landscape. Groups like RansomHub, Qilin, and Incransom are also becoming more stable and recurring in their activity.
Ransomware tactics are evolving, too. In 2025, there has been an increase in double-extortion attacks, where data is stolen before encryption, and in targeted campaigns that exploit local systems or laws. This shows that attacks are becoming more strategic and intelligent, not just random or widespread.
Strengthening Your Business Against Cyber Risks
Protecting your business today means more than installing antivirus software or relying on basic firewalls.
In Europe, NIS2 has set a new standard for cybersecurity, requiring companies to manage risk, report incidents, and secure their systems or face serious fines.
Getting started with compliance does not have to be complicated. Tools like Start Comply help businesses understand where they stand and what actions to take.
Beyond compliance, businesses benefit from having several layers of protection in place. Access controls, secure backups, and strong endpoint security can work together to reduce risk.
Keeping all systems up to date and properly patched reduces the risk of vulnerabilities being exploited. Partnering with a professional cybersecurity provider such as Tictac can also support efforts like penetration testing and system assessments, helping ensure your infrastructure is truly ready.
And when incidents do happen, having a clear, tested response plan can make a critical difference in how quickly and effectively a business recovers.
2025 Ransomware Outlook – Urgent Action Needed Across Europe
The forecast for 2025 points to an even more difficult year ahead. Ransomware attacks are expected to surpass 1,700 across Europe, marking the highest volume recorded so far.
A rise in “double extortion” tactics is likely, where attackers both lock systems and steal sensitive data. Victims are then pressured to pay by threats of public exposure. We also expect more targeted attacks that exploit local vulnerabilities and gaps in regional laws.
This is not a time to wait and see. European organizations must take urgent steps to strengthen their digital defenses. Proactive security, solid incident response plans, and ongoing employee training are no longer optional. They are essential strategies for surviving an increasingly aggressive cyber threat landscape.
Research Methodology & Other Information
- This analysis focuses on ransomware activity across Europe, covering the period from January 2023 to July 22, 2025.
- Data was sourced from ransomware.live and examined to identify patterns related to victim count, group activity, and targeted sectors from all European Countries.
- Only confirmed incidents attributed to known ransomware operators were included in this study. Organizations were grouped based on their primary industry, providing clearer insights into which sectors have been most affected.
- It is important to note that the data used in this report includes only publicly reported and verified attacks. As a result, the findings represent just the visible portion of ransomware activity, and the actual number of incidents is likely higher.
- Every effort was made to ensure the accuracy of the information presented. However, the analysis is limited to publicly available data at the time of writing.
- This research was conducted by Social Active on behalf of TicTac Cyber Security. Any use of this data should credit both Social Active and TicTac as the source.
