Overview
- Europe accounted for nearly 22% of entities named on cybercriminal leak sites, with about 2,100 Europe-based victims listed since January 2024.
- The UK saw the highest concentration of victims, followed by Germany, Italy, France and Spain, with manufacturing, professional services, technology, industrials and engineering, and retail most targeted.
- Akira (167) and LockBit (162) led the ransomware groups tracked, followed by RansomHub (141) and others, as CrowdStrike also reported average ransomware attacks now completing in about 24 hours with faster deployment by crews such as Scattered Spider.
- CrowdStrike observed 260 initial access brokers offering entry to over 1,400 European organizations, with common tradecraft including backup credential dumping, remote encryption from unmanaged systems and Linux ransomware targeting VMware ESXi.
- Voice phishing and fake CAPTCHA pages featured in more than 1,000 incidents affecting Europe-based organizations, and a parallel rise in violence-as-a-service produced 17 physical extortion cases since 2024, prompting a Europol taskforce.