According to CrowdStrike, Europe ranks second behind North America as a theater of attack for cybercriminals, nation-state actors and hacktivists. Europe Threat Landscape Report 2025while European organizations account for almost 22% of global ransomware and extortion victims.
Ransomware operations are moving faster than ever thanks to CrowdStrike surveillance teams like Scattered Spiderwhich, as is known, destroyed the Marks and Spencer business this year, increasing the deployment rate by 48%. An average attack now only takes 24 hours.
Attackers are benefiting from underground marketplaces that provide malware-as-a-service, first-party access brokerage and phishing toolkits, the cybersecurity provider said.
Cyberattacks sponsored by nation states, namely Russia, China, North Korea and Iran, hostile to Western countries, have intensified operations in European industrial sectors, reflecting what CrowdStrike describes as the growing convergence of cybercrime and geopolitical threats. Threat experts say academia is a prime target.
Adam Meyers, head of counterattacks at CrowdStrike, said in a statement accompanying the release of the threat report: “The cyber battlefield in Europe is more crowded and complex than ever. We are witnessing a dangerous convergence of criminal innovation and geopolitical ambition, with ransomware teams leveraging enterprise-grade tools and state-backed actors exploiting global crises to disrupt, preserve and espionage. In this high-stakes environment, intelligence-driven defense artificial intelligence and human-powered technology, said in a statement accompanying the release of the threat report, “experience is the only combination designed to stop cyber threats.”
The vendor's adversary division is tracking more than 265 named attackers. He noted that since January 1, more than 2,100 victims across Europe have been named on extortion leak sites. Unsurprisingly, the UK, Germany, France, Italy and Spain were the most vulnerable countries, with 92% of cases involving file encryption and data theft.
About 260 initial access brokers (IAB) advertised in more than 1,400 European organizations, CrowdStrike researchers found. IABs are individual cybercriminals or organized cybercriminal groups that gain unauthorized network access and sell it to other criminals. They play an increasingly important role in the ransomware ecosystem, creating entry points from which ransomware as a service groups can facilitate attacks.
English and Russian language forums, including BreachForums, successor RaidForums, whose administrators were linked to criminals in France and the UKremain central to the European e-crime ecosystem, CrowdStrike said. According to the report, this enables the traffic of stolen data, malware and criminal services, and platforms such as Telegram, Tox and Jabber facilitate cybercriminal activity.
Alarmingly, criminals are using Telegram-based networks to coordinate physical attacks, kidnappings and extortion related to cryptocurrency theft. Again, according to CrowdStrike, groups associated with what the report calls the “The Com” ecosystem, and groups such as Renaissance Spider combine cyber with physical operations.
Geopolitical front
Chinese state-sponsored attackers have targeted industries in 11 countries, using cloud infrastructure and software supply chains to steal intellectual property, CrowdStrike reports. The group that the supplier calls VixenPanda is the most serious threat to European governments and defense agencies.
Russian-backed cyberattacks continue to target Ukraine in Putin's war against the country. According to CrowdStrike, credential phishing, intelligence gathering and disruptive operations targeting the government, military, energy, telecommunications and utilities all essentially amount to Russian cyber warfare.
North Korean cyber attackers have expanded their maneuvers against European defense, diplomatic and financial institutions, combining espionage with cryptocurrency theft, according to the vendor's threat intelligence group.
Meanwhile, Iran-backed Restless kitten claimed authorship of what researchers believe was a DDoS attack on a Dutch news publication.
