IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Shadowy figure at computer dark room ewurope cyberattack map illustration symbol
#
Ransomware
#
Advanced Persistent Threat Protection
#
Cybersecurity

Ransomware & state threats surge in Europe, warns CrowdStrike

Tue, 4th Nov 2025
Author image
By Sean Mitchell, Publisher

The latest CrowdStrike 2025 European Threat Landscape Report indicates that European organisations represented nearly 22% of global ransomware and extortion victims, ranking second after North America.

The annual report, based on data and intelligence compiled by CrowdStrike's Counter Adversary Operations team, identifies a record pace of ransomware attacks and an increase in both criminal and nation-state activity across the continent.

Ransomware surge

CrowdStrike found that ransomware operations in Europe have accelerated substantially. Groups such as SCATTERED SPIDER have increased their speed of deployment by 48%, with the average ransomware attack now executed in just 24 hours. Since the start of 2024, more than 2,100 victims across Europe have been listed on extortion leak sites, with the United Kingdom, Germany, France, Italy, and Spain noted as the most targeted countries. The report states that in 92% of the cases, cybercriminals combined file encryption with data theft.

One factor identified in the rapid increase is the emergence of initial access brokers. CrowdStrike tracked 260 such brokers who marketed access to over 1,400 European organisations, fuelling what is often described as "Big Game Hunting" for large enterprises.

Expanding nation-state threats

The CrowdStrike report highlights that state-sponsored groups from Russia, China, North Korea, and Iran, referred to as the "Big Four," have broadened their targeting of critical European sectors. Russian-affiliated actors continued to focus on Ukraine, utilising credential phishing and destructive activities aimed at government, military, energy, telecom, and utilities sectors. North Korea-linked groups intensified efforts against European defence, diplomatic, and financial institutions, combining espionage with attempts at cryptocurrency theft to further strategic goals.

The report notes that Chinese state-sponsored actors targeted industries in 11 European countries, exploiting cloud systems and supply chains to steal intellectual property, with persistent campaigns especially in healthcare and biotechnology. VIXEN PANDA, in particular, emerged as a significant threat to European government and defence entities.

Iranian-linked actors also increased activity in Europe. According to the report, IRGC-associated groups stepped up phishing, hack-and-leak, and distributed denial-of-service (DDoS) campaigns. Notably, HAYWIRE KITTEN claimed responsibility for a DDoS attack against a news outlet in the Netherlands, and multiple Iranian nexus actors operated under the guise of hacktivist groups to obscure espionage objectives.

Underground crime ecosystems

Investigators found that English- and Russian-language underground forums remain central to Europe's eCrime marketplace. Platforms such as BreachForums-described as a successor to the closed RaidForums and administered by individuals allegedly linked to France and the United Kingdom-enable the exchange of stolen data, malware, and criminal services. Communication and collaboration among threat actors is further facilitated through messaging platforms including Telegram, Tox, and Jabber.

Hybrid criminal techniques

The report draws attention to the growth of what is described as "Violence-as-a-Service." Criminal groups have used Telegram-based networks to orchestrate not only cyberattacks but also physical attacks, extortion, kidnappings, and activities linked to cryptocurrency theft. In particular, links are detailed between "The Com" criminal ecosystem and hybrid adversaries such as RENAISSANCE SPIDER, which bridge digital and physical crime by offering payments for sabotage, arson, and targeted violence.

Expert analysis

"The cyber battlefield in Europe is more crowded and complex than ever," said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. "We're seeing a dangerous convergence of criminal innovation and geopolitical ambition, with ransomware crews using enterprise-grade tools and state-backed actors exploiting global crises to disrupt, persist, and conduct espionage. In this high-stakes environment, intelligence-led defence powered by AI and guided by human expertise is the only combination designed to stop cyber threats."

According to CrowdStrike, their research draws on the tracking of over 265 named adversary groups, providing what the report claims is the most comprehensive view yet of the region's threat landscape.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Cloud breaches driven by identity failures & process flaws
AI adoption in process safety rising but impact on incidents lags
CFOs prioritise data access as overwork undermines decisions
AI to transform banking & insurance sectors by 2026, says report
CrowdStrike & CoreWeave unite to secure advanced AI cloud workloads

Top stories

Check Point scores 99.59% in top firewall security report by NSS
Exclusive: Financial services CIO urges banks to embrace Celonis tech
Trustmarque & Ultima merge to form GBP £1 billion IT giant
Why generic eCommerce platforms aren’t enough for the next generation
Catherine Birkett joins Twinkl to chair Audit & Risk Committee