Ransomware attacks surge in Europe as third-party suppliers become primary entry point
Black Kite's 2026 European Cyber Risk Report reveals a 55% increase in ransomware incidents, with third-party suppliers emerging as a major attack vector across 31 countries.
Ransomware attacks against European organizations surged during the first months of 2026, with third-party suppliers becoming a primary entry point for attackers, according to Black Kite's 2026 European Cyber Risk Report. The report analyzed 2,066 ransomware incidents across 31 countries between January 2025 and April 2026, revealing a 55.1% increase in publicly disclosed incidents from January to April 2026 compared to the same period in 2025. The average monthly number of incidents rose from 108 during the first half of 2025 to 171 during the first four months of 2026.
Germany recorded the highest number of incidents, followed by the UK, France, Italy, and Spain. These five countries accounted for nearly 70% of all recorded ransomware incidents. Manufacturing was the hardest-hit sector, accounting for 27.9% of publicly disclosed incidents. IT services ranked among the primary targets because attacks on service providers can affect many downstream customers. Professional services, healthcare, retail, and transportation also remained frequent targets as cybercriminals increasingly focused on organizations with broad digital connections and high operational impact.
The Qilin ransomware group operated in 26 of the 31 countries included in the analysis, giving it the widest geographic reach among the groups covered. The report identified 64 organizations that were compromised through third-party incidents. In one case, a breach at a software provider affected dozens of downstream organizations and exposed the personal data of more than one million people, demonstrating how a single supplier can trigger widespread disruption.
"Three forces are converging on European organisations at once: ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third-party risk," said Dr. Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite. European cybersecurity regulations such as NIS2 and DORA are making organizations more accountable for the cyber risks posed by their suppliers. These frameworks require organizations to assess, monitor, and manage supplier cyber risk as part of operational resilience programs.
Dikbiyik noted that some of Europe's most significant ransomware incidents were defined by their downstream impact across interconnected organizations. He added that NIS2 and DORA were increasing pressure on organizations to better understand cyber risk across their supplier ecosystems and identify where risk is concentrated. The report underscores the need for organizations to prioritize third-party risk management as ransomware continues to accelerate across the continent.