Ransomware

Europe Recorded 684 Ransomware Attacks in Four Months. Manufacturing Is the Primary Target.

Europe Recorded 684 Ransomware Attacks in Four Months. Manufacturing Is the Primary Target.

Europe is now the most targeted region in the world for ransomware and the numbers from the first four months of 2026 make that difficult to argue with. Dark Reading tracked 684 publicly known ransomware attacks across Europe between January and April 2026, a 55% increase on the same period in 2025. That works out to roughly six confirmed attacks every single day and the word publicly known is doing a lot of work in that sentence. Attacks that victims quietly paid to suppress are not in this count.

Italy, France and Spain recorded the sharpest increases among individual countries. Dark Reading and Infosecurity Magazine both flagged manufacturing as the most targeted sector across the continent during this period, consistent with the pattern Rapid7 identified in their SAP NetWeaver incident response data from the same months. Ransomware groups follow the same logic espionage actors do, manufacturing firms carry high operational pressure to restore systems fast, have complex supply chains that create multiple entry points and have historically underinvested in detection capability relative to financial services.

The 55% Figure Needs a Source Caveat

Victims who paid ransoms quickly, whose attacks were never reported to authorities, or whose incidents were suppressed under non-disclosure agreements are absent. The European Union Agency for Cybersecurity, ENISA and national CERTs do not yet publish consolidated ransomware frequency data at this granularity, so Dark Reading’s methodology is the best available public measure, not a definitive count.

The 55% figure is still significant even as an undercount. The trend direction is not in dispute. The European Parliament Research Service published a separate briefing in early 2026 confirming a substantial upward trajectory in ransomware incidents across member states, corroborating the directional finding without independently verifying the specific percentage.

Geopolitics and the RaaS Ecosystem Are Pushing the Numbers Up

Two structural factors are driving the increase and they are compounding each other.

The Russia-Ukraine conflict has reshaped the ransomware-as-a-service ecosystem in ways that are still working through the system. Sanctions, seized infrastructure and the fragmentation of groups like LockBit and BlackCat have not reduced overall attack volume. They have dispersed it. Smaller affiliate groups operating under reconstituted or rebranded RaaS platforms have filled the gap, often with less discipline about target selection and less interest in avoiding critical infrastructure. The result is more attacks, more broadly distributed.

The second factor is regulatory. NIS2 is now in force across most of the EU and DORA applies to financial entities from January 2025. Both frameworks require mandatory incident reporting within tight windows. For ransomware groups, mandatory reporting changes the economics of an attack. A victim who must notify their national authority within 24 hours of a significant incident and who faces fines for failure to do so, is in a fundamentally different negotiating position than one who could quietly assess options over a week. Some security analysts argue that mandatory reporting reduces the victim’s leverage and increases pressure to pay quickly. Whether that is translating into higher payment rates is not confirmed by any public data at this point.

NIS2 Enforcement Creates a Compliance Floor, Not a Security Ceiling

There is a risk that boards currently focused on NIS2 compliance treat it as the destination. It is not. Article 21 of the Directive requires risk assessments, documented security measures, incident response capability, supply chain controls, MFA, encryption and business continuity planning. Those are the floor. A manufacturing company that meets every Article 21 requirement but has not segmented its operational technology network from its IT environment is compliant and still highly vulnerable to ransomware operators who have spent years specifically targeting that gap.

DORA which applies to financial entities and their critical ICT third-party providers includes specific requirements for digital operational resilience testing including threat-led penetration testing for significant institutions. That is a more demanding bar than NIS2’s baseline and it is the right model for sectors that ransomware groups now treat as high-value targets.

The Nordic Angle Has a Specific Shape

The source data provided for this article does not name a specific Nordic company with a confirmed ransomware incident in this period and inventing one would be straightforwardly wrong. What can be said accurately is this, Sweden’s Cybersäkerhetslagen entered into force on 15 January 2026 and MSB has not yet published the full implementing regulations. Swedish manufacturing companies that fall under NIS2’s essential or important entity classification are operating in a period where their legal obligations are defined but the supervisory framework is still being finalized. That creates a specific compliance risk, boards that are waiting for MSB guidance before acting are behind organizations in Denmark and Finland that have been operating under enforcement since July 2025.

Swedish manufacturing exporters with operations or customers in France, Italy or Spain are directly exposed to the supply chain dynamics driving this surge. If a tier-one customer or logistics partner is hit by ransomware, the operational disruption crosses borders regardless of where the victim’s servers are.

Three Decisions Before the Next Board Meeting

Ransomware resilience is not primarily a technical problem at this point. The technical controls are well understood. The failure mode in most incidents is organizational, slow detection, no tested recovery plan, IT and OT environments that were never properly separated and backup systems that were connected to the network the attacker already controlled.

Test your backups against a realistic ransomware scenario this quarter, not against hardware failure. The specific question to answer is whether your organization can restore critical systems from offline backups within a timeframe that does not force a ransom payment decision. Most organizations have not tested this. Some will discover their backup systems were encrypted along with everything else.

Map your supply chain exposure before your suppliers do it for you. If you provide components, software or services to a manufacturing company in France, Italy or Spain, ask your customer what their incident response plan covers and whether it includes supplier notification. If you cannot answer that question about your own suppliers, you have a gap.

If your organization falls under NIS2 and you do not yet have a tested incident notification workflow that reaches both your board and the relevant national authority within 24 hours, build one before the first enforcement actions land. The supervisory authorities in Denmark and Finland have been operational since July 2025. Early enforcement cases will define what adequate looks like for everyone else.

References

  1. Europe Evolves Into Ransomware’s Favorite Region
  2. Major Increase in Ransomware Attacks Targeting Europe
  3. Ransomware Resilience – Strategic Targets and Rising Trends
  4. NIS2 Directive Full Text: Article 21
  5. Global Cybersecurity Outlook 2026

This post is also available in: Svenska

Erik Berg

Erik Berg is CTO and Principal Security Architect at eBuilder Security, with more than a decade in blue team security operations across the private and public sectors, and a focus on emerging threats including the security risks that come with AI.