Ransomware: Europe Overtakes US as Top Target With 55% Surge in Attacks

On June 25, 2026, Black Kite published its first report dedicated exclusively to Europe: 684 ransomware attacks in the first four months of the year, a 55.1% increase over the 441 recorded in the first quadrimester of 2025. The figure even exceeds the 643 attacks logged across the entire first half of 2025. The threshold is not merely numeric: for the first time, Europe overtakes the historical trend of North America and the UK as the preferred destination for active ransomware groups.

Why Europe Now: US Saturation and AI-Driven Targeting

Ferhat Dikbiyik, Black Kite's chief research and intelligence officer, explains the geographic reversal with three converging factors. The first is US market saturation: "The world absorbs nearly half of all ransomware victims. Canada and the UK have traded the second spot. Europe was a step behind. Now it's changing." The second force is AI applied to target discovery: "Their own AI-assisted target research is starting to point to Europe."

The third element is the nature of European economies themselves. Dikbiyik summarizes: "Stealer logs exist. Unpatched vulnerabilities exist. Money exists. Smaller countries may have weaker defenses, but the major economies offer the complete package: wealth and exposure together. The question isn't why ransomware groups target major EU powers; it's why they wouldn't."

The numbers confirm the concentration on mature markets. Germany recorded 370 incidents (17.9%), the UK 347 (16.8%), France 255 (12.3%), Italy 240 (11.6%), Spain 203 (9.8%). The steepest percentage spikes, however, appear in secondary economies: Turkey +433%, Romania +333%, Poland +217%. Black Kite researchers detect no significant pattern toward smaller countries; the logic remains maximum leverage, not opportunism against weak defenses.

The Supply Chain Lever: One Attack, Many Victims

The report identifies supply chain compromise as the primary and expanding attack vector. Between January 2025 and April 2026, 64 European organizations were caught up in ransomware incidents through third-party compromise. Of these, 53% — 34 organizations — trace back to the single attack on Miljödata on August 23, 2025, a Swedish environmental services provider. The breach exposed data from roughly 200 Swedish municipalities and over 1 million individuals.

The Miljödata case is not anecdotal. It is the prototype of a mechanism Dikbiyik describes as characteristic of the recent evolution: "Some of the most significant ransomware incidents in Europe are defined less by the initial victim than by the scale of their downstream impact across an interconnected ecosystem." The fragmentation of the RaaS ecosystem — from 60 tracked groups in 2023 to 150 in 2026 — amplifies the phenomenon: more independent actors compete to identify critical vendors with access to multiple downstream victims, maximizing the return on attack investment.

"Three forces are converging on European organizations simultaneously: ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third-party risk" — Dr. Ferhat Dikbiyik, Chief Research and Intelligence Officer, Black Kite

Sectors in the Crosshairs: Manufacturing and IT Services as Access Bridges

The manufacturing sector absorbs over 25% of attacks according to Dark Reading (27.9% in Black Kite's primary release), followed by professional, scientific and technical services at 17.8% — particularly IT providers. The choice is not random. Dikbiyik: "Every manufacturer sits inside a larger physical supply chain. Disrupting a physical production line gives the attacker enormous leverage at the negotiating table." For IT services, the logic is dual: "These companies hold direct access to their clients' systems and data. Breach one, and every client they serve is exposed."

Italy, with its fragmented industrial fabric and strong presence of SMEs integrated into global supply chains, posts a 92% increase that places it fourth in absolute incident count. France, at +119%, outpaces Italy in percentage growth while remaining third in absolute volumes. Spain grows 77%. All three share a profile: densely interconnected manufacturing economies with extended and often opaque third-party ecosystems.

The Visibility Paradox: NIS2 and DORA Demand What Companies Don't Have

Black Kite's report arrives amid intense European regulatory activity. NIS2 and DORA impose extended responsibilities on suppliers, making third-, fourth- and fifth-party visibility a compliance requirement, not just a security one. But the gap between the requirement and operational capability is the critical point. Dikbiyik: "You can't manage what you don't see, and most companies don't see beyond their direct vendors. They rarely have an inventory of their fourth and fifth parties. Threat actors map those deeper connections with open source intelligence."

The paradox is clear: stricter regulations create a false sense of security if visibility stops at the corporate perimeter. The risk of cascade attacks through concentrated vendors — like Miljödata in the Swedish public sector — exposes organizations never directly targeted. Compliance without supply chain visibility becomes a declaration of intent devoid of operational substance.

What to Do Now

• Explicitly map fourth and fifth parties: the source documents that attackers use open source intelligence to trace supply chain connections deeper than victims do
• Assess vendor risk concentration: the Miljödata case shows a single provider can compromise 34 downstream organizations; identifying vendors with multi-client access is a priority
• Monitor manufacturing and IT services as entry points: over 45% of attacks concentrate in these two sectors, with different but converging leverage logics
• Treat the fragmented RaaS ecosystem as an exposure multiplier: 150 active groups imply more actors capable of identifying the same supply chain weak points

Europe as Laboratory: When Regulatory Defense Meets Adaptive Offense

Black Kite's report does not describe a sudden emergency but a structural recalibration. Europe did not become vulnerable overnight; it became optimal. The intersection of wealth, technical exposure, supply chain complexity and relative lag in third-party visibility offers ransomware groups — now more numerous and AI-assisted — an efficient target. The average of 171 incidents per month in the January 2025–April 2026 period suggests Q1 2026 is not an outlier but a new regime.

The question for European organizations is not whether they will be targeted, but whether their security investment has kept pace with attackers' in mapping hidden connections. NIS2 and DORA have raised the bar; the test is whether that standard will be applied where the report shows attackers already operate: beyond the direct vendor boundary, in the folds of the supply chain that companies don't know they have.

Sources

• https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region
• https://nvd.nist.gov/vuln/detail/CVE-2026-42945
• https://nvd.nist.gov/vuln/vulnerability-detail-pages
• https://nvd.nist.gov/vuln/detail/CVE-2026-41940
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.prnewswire.com/news-releases/black-kites-first-report-dedicated-to-europe-ransomware-incidents-rose-55-year-over-year-in-early-2026-as-supply-chains-become-a-key-attack-path-302808057.html
• https://nvd.nist.gov/vuln
• https://nvd.nist.gov/vuln/search
• https://nvd.nist.gov/vuln/categories
• https://nvd.nist.gov/vuln/data-feeds
• https://nvd.nist.gov/vuln/vendor-comments

Information verified against cited sources and current as of publication.

Sources