Ransomware hits European suppliers as attacks surge 55%

Black Kite has published a report on ransomware and third-party cyber risk in Europe. The study found that ransomware incidents in the region rose 55.1% year on year in the first four months of 2026.

The report examines publicly disclosed incidents across 31 European countries between January 2025 and April 2026. Attacks averaged 171 incidents a month in early 2026 and were heavily concentrated in a small number of large markets.

Germany recorded 370 incidents, or 17.9% of the total tracked in the study. The United Kingdom followed with 347 incidents, or 16.8%, while France, Italy and Spain recorded 255, 240 and 203 incidents respectively.

Together, those five countries represented nearly 70% of all ransomware activity recorded in the research. The findings point to a regional threat picture centred on Europe's largest economies, where large corporate bases and broad supplier networks create a wider field for attackers.

Supplier exposure

A central theme in the report is the role of suppliers as an entry point for attacks. Black Kite found that 64 European organisations were caught up in ransomware or data extortion incidents through a third party rather than through a direct compromise of their own systems.

More than half were linked to a single incident involving Swedish software supplier Miljödata. The study says the breach affected about 250 customers, including around 200 municipalities and regions, as well as companies and universities, and exposed the personal data of more than one million individuals.

The case shows how the effects of one supplier breach can spread well beyond the first victim. Public services and organisations that were not directly targeted still suffered disruption and data exposure through their dependence on a shared provider.

The sector data in the report reflects that pattern. Manufacturing was the most affected sector at 27.9%, while professional, scientific and technical services accounted for 17.8%. Within that group, IT service providers were the most targeted sub-industry.

That matters because a successful attack on a supplier can expose multiple customers at once. Rather than focusing only on one company's internal systems, ransomware groups can achieve wider impact by targeting businesses at the centre of customer networks, such as payroll providers, software vendors, logistics firms and other outsourced service providers.

Threat groups

The report identifies Qilin, Akira and SafePay as among the most active ransomware groups in Europe during the period studied. Qilin was the most active overall and was linked to incidents in 26 of the 31 countries analysed.

That geographic spread sets Qilin apart from groups with a narrower regional focus. SafePay, for example, showed a more concentrated pattern, with more than half of its European activity directed at German organisations.

The contrast suggests ransomware groups are not following a single playbook across Europe. Some are pursuing broad campaigns across multiple national markets, while others are concentrating efforts where industry structure, language familiarity, victim density or supplier dependence may improve their chances of success.

Regulatory pressure

The findings come as European organisations face tighter scrutiny over how they manage cyber risk beyond their own operations. The report points to frameworks including NIS2, DORA, CER and the Cyber Resilience Act, which raise expectations for companies to assess and oversee cyber exposure across supplier ecosystems.

That shift means cyber risk management is moving beyond technical defence inside the perimeter and towards governance of external relationships. Boards, risk teams and compliance functions are under pressure to show they understand where supplier weaknesses lie and how those weaknesses could affect core operations, customer data and public services.

Black Kite said its research was based on ransomware tracking, vendor ecosystem analysis, the European regulatory landscape and cyber risk telemetry. The study covered the 27 European Union member states as well as the United Kingdom, Switzerland, Norway and Turkey.

Dr Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite, said the findings show several pressures bearing down on organisations at once. "Three forces are converging on European organisations at once: ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third-party risk," he said.

He said the most serious incidents often extend beyond the first company hit. "Our research shows that some of Europe's most significant ransomware incidents are defined less by the initial victim than by the scale of their downstream impact across an interconnected ecosystem. As regulations like NIS2 and DORA continue to reshape expectations, organisations are under growing pressure to demonstrate a deeper understanding of the cyber risk that exists across their supplier ecosystem. Understanding where risk is concentrated, and how it can spread, is becoming essential for building resilience," Dikbiyik said.