CrowdStrike report shows ransomware surging across Europe
European organizations are encountering ransomware at a record pace, according to CrowdStrike’s 2025 European Threat Landscape Report. The new study found that Europe accounted for nearly 22 percent of global ransomware and extortion victims, second only to the US.
With attacks taking just 24 hours on average, the report shows a worryingly aggressive and complex threat for businesses and governments across the region.
SEE ALSO: Delay responding to email breaches likely to lead to ransomware attacks
The findings were announced at Fal.Con Europe 2025 in Barcelona. CrowdStrike said adversaries such as Scattered Spider had slashed the timeline from breach to extortion, increasing ransomware deployment speed by 48 percent.
Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said, “The cyber battlefield in Europe is more crowded and complex than ever. We’re seeing a dangerous convergence of criminal innovation and geopolitical ambition, with ransomware crews using enterprise-grade tools and state-backed actors exploiting global crises to disrupt, persist, and conduct espionage. In this high-stakes environment, intelligence-led defense powered by AI and guided by human expertise is the only combination designed to stop cyber threats.”
The report suggests the rise in activity is linked to the growth of underground markets that offer Malware-as-a-Service, phishing toolkits, and access brokerage.
Ransomware economy
CrowdStrike analysts said that 260 initial access brokers advertised to more than 1,400 European organizations, feeding the ransomware economy.
Since early 2024, more than 2,100 victims across Europe were named on extortion leak sites, with the UK, Germany, France, Italy, and Spain among the most frequently targeted countries.
State-sponsored adversaries have also expanded their European operations. Unsurprisingly, Russia-linked groups continued campaigns against Ukraine and neighboring states, focusing on credential theft and intelligence gathering.
Bad actors associated with North Korea widened their reach into defense and finance sectors, combining espionage with cryptocurrency theft.
Chinese operators concentrated on healthcare, biotechnology, and government systems in 11 countries, with Vixen Panda named as a leading threat actor.
Iranian groups linked to the IRGC launched phishing and DDoS attacks against organizations in the UK, Germany, and the Netherlands, often disguising espionage as hacktivism.
The report suggests that criminal networks are blurring lines between cyber and physical violence and CrowdStrike noted the rise of Violence-as-a-Service schemes on Telegram, where groups tied to “The Com” ecosystem and hybrid actors like Renaissance Spider coordinate physical attacks, kidnappings, and sabotage for cryptocurrency payments.
English and Russian language forums, including BreachForums, remain central to Europe’s cybercrime infrastructure, supporting data trading, recruitment, and monetization.
CrowdStrike’s intelligence indicates that ransomware and state-backed attacks are increasingly interconnected. European targets, from energy providers to technology firms, face simultaneous pressures from profit-driven and politically motivated adversaries.
What do you think about the surge in ransomware across Europe? Let us know in the comments.