Summary

Ransomware operators are increasingly turning their attention to Europe. Security firm Black Kite logged 684 ransomware attacks across the continent in the first four months of 2026 — a 55% jump over the same window in 2025 — and warns that European organizations are being hit not only directly but through compromises of their suppliers. Researchers attribute the surge to a glut of activity in the US market, AI-assisted target selection, and a fragmented threat landscape that ballooned after law enforcement dismantled the biggest ransomware-as-a-service (RaaS) brands.

A rebound after the lull

Following a relative slowdown in 2024 and 2025, the RaaS ecosystem appears to be regaining momentum in Europe. Black Kite counted 684 incidents on the continent through the first four months of 2026, compared with 441 over the equivalent period in 2025 — and that four-month tally already exceeds the 643 attacks the firm recorded across the entire first half of 2025.

Historically, Europe has trailed the perennial leaders. "Globally, the US absorbs almost half of all ransomware victims. Canada and the UK have traded second place. Europe was a step behind. Now that's shifting," Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, told Dark Reading.

He points to two drivers. The US market has become saturated, pushing some crews to look elsewhere. The second factor, in his assessment, is automation on the attacker side: "[Attackers'] own artificial intelligence (AI)-assisted target research is starting to point them at Europe. The stealer logs are there. The unpatched vulnerabilities are there. The money is there. Smaller countries may run weaker defenses, but the big economies offer the full package: wealth and exposure together. The question isn't why ransomware groups target the major EU powers; it's why would you not?"

How a power vacuum became a volume problem

The intensity of ransomware during the COVID-19 pandemic eventually forced a coordinated law-enforcement response. Between 2022 and 2025, authorities in the US and elsewhere — with even Russia briefly participating — disrupted or shut down marquee operations such as Conti, Hive, LockBit, and AlphV, alongside second-tier outfits including Babuk, BianLian, Cactus, and RansomHub. Those takedowns scattered operators rather than eliminating them.

"Ransomware never really went away, but the major players took a hit. That created a power vacuum. What refilled the vacuum is volume," Dikbiyik explained. The fragmentation is visible in the numbers: during ransomware's 2023 peak, Black Kite tracked 60 active groups. Today it follows roughly 150.

Where the attacks are landing

The growth isn't spread evenly. Through the first third of 2026, 68.5% of European incidents struck the five largest markets — the UK, Germany, France, Italy, and Spain. Large, wealthy economies naturally draw more attacks, but the rate of increase stands out given how much volume these countries already absorb each year:

  • France: up 119% versus the same period in 2025
  • Italy: up 92%
  • Spain: up 77%

Smaller economies saw even sharper percentage swings, including a 433% rise in Turkey, 333% in Romania, and 217% in Poland. Even so, Black Kite reads "no meaningful pattern" into those figures and sees no broad pivot toward smaller, less-defended markets.

By sector, more than a quarter of European ransomware attacks from January 2025 through April 2026 hit manufacturing, while another 17.8% landed on professional, scientific, and technical services firms — most prominently digital services providers.

Dikbiyik argues both targets share a common appeal: downstream supply-chain leverage. "Every manufacturer sits inside a larger supply chain. Disrupt a physical production line and you hand the attacker enormous leverage at the negotiating table," he said. For technology providers, the calculus is access: "These firms hold direct access to client systems and data. Breach one, and every client it serves is exposed."

The supplier problem: Miljödata as the model

The clearest illustration, according to Dikbiyik, is the Miljödata breach of Aug. 23, 2025. By compromising a single IT and HR systems provider, attackers reached data belonging to roughly 200 downstream Swedish municipalities along with several universities and corporations — affecting more than 1 million individuals.

If attacks delivered through suppliers keep rising, Dikbiyik says organizations will need to account for risk well beyond their immediate vendors — extending to fourth-, fifth-, and nth-party relationships. "You can't manage what you can't see, and most companies can't see past their direct vendors. They rarely have an inventory of their fourth and fifth parties. Threat actors map those deeper connections with open source intelligence," he said.

He frames third-party exposure as two distinct problems:

  • Concentration risk: Multiple vendors share the same vulnerability, or all depend on a single insecure upstream provider — a situation no single vendor call can resolve. Miljödata represented a concentration risk to the Swedish public sector.
  • Cascading risk: A breach at one supplier opens a path into vendor n-1, n-2, and so on until attackers reach the ultimate target. Dikbiyik cites ShinyHunters as a specialist in these chained campaigns, including its recent activity involving Oracle PeopleSoft.

His prescribed response is to act ahead of incident notifications: "You don't wait for the breach notification. You go to your direct vendor, surface the dependency, and press them on it. Does that fourth party have a backup? Can they move off a concentrated provider?" The organizations that stay resilient, he argues, are "the ones ranking vendors by risk before the breach, not after."

Technical background: how supply-chain ransomware leverage works

The following is general context on this class of attack, not specific to any incident above.

Supply-chain ransomware campaigns exploit the trust and connectivity between an organization and its service providers. A managed service provider (MSP), HR/IT platform, or software vendor typically holds privileged, often automated access into many customer environments — remote-management agents, API tokens, federated identities, or VPN tunnels. Compromising that one provider can therefore grant an attacker a force-multiplied foothold across every downstream tenant.

A typical chain looks like this:

  1. Initial access to the provider — frequently via credentials harvested from infostealer "stealer logs," phishing, or an unpatched internet-facing vulnerability.
  2. Privilege escalation and discovery, where the attacker maps the provider's client connections and management tooling.
  3. Lateral movement into customers by abusing the provider's legitimate access paths (RMM tools, deployment pipelines, or shared credentials), which often blend in with normal administrative traffic.
  4. Impact — data theft for extortion and/or encryption, sometimes pushed simultaneously to many victims through the provider's own software-distribution mechanisms.

Defenders can reduce exposure to this pattern with practices such as:

  • Maintaining an inventory that maps not just direct vendors but their critical dependencies (fourth/fifth parties).
  • Enforcing least privilege and short-lived, scoped credentials for any vendor that holds access into your environment.
  • Requiring phishing-resistant MFA on all remote-access and management tooling.
  • Monitoring for anomalous use of legitimate RMM and deployment tools — a common living-off-the-land technique in these campaigns.
  • Keeping offline, tested backups so that a provider-side encryption event does not force payment.

For organizations concerned about cascading and concentration risk, the practical takeaway from Black Kite's research is the same: rank suppliers by risk and probe their dependencies before an incident, rather than reacting to a breach notice after the damage is done.