Breaking: Germany Overtakes UK as Top European Target for Ransomware Attacks
Germany has reclaimed its position as the primary focus of cyber extortion in Europe, with data leak site (DLS) posts nearly doubling in 2025. According to Google Threat Intelligence (GTI), German organizations saw a staggering 92% increase in leaked data compared to 2024—triple the European average. This surge marks a sharp reversal from the relative calm of 2024, when the United Kingdom led in DLS victims.
"Germany is once again under siege from cyber criminal groups," said Jamie Collier, a senior threat analyst at GTI. "The speed and scale of this resurgence have caught many off guard, and it reflects a deliberate pivot by attackers targeting the country's advanced, digitized industrial base."
The uptick in German attacks is part of a broader global trend: DLS posts rose nearly 50% worldwide in 2025. However, GTI data reveals that German infrastructure is being hit harder and faster than any other European nation.
Why Germany? A 'Ripe Market' for Extortion
Germany's appeal to threat actors is not due to its sheer number of companies—France and Italy have more active enterprises. Instead, its status as Europe's largest economy with a highly digitized Mittelstand (small and midsized enterprises) makes it a prime target. Many of these firms lack the robust cybersecurity defenses seen in larger North American or UK corporations.
"The German Mittelstand is a 'ripe market' for extortion groups," explained Robin Grunewald, a GTI researcher. "These companies are profitable, digitally connected, but often underprepared for sophisticated ransomware attacks."
Background: The Cyber Criminal Shift from English to Non-English Speaking Nations
After a period where UK-based organizations dominated DLS postings in 2024, the landscape has flipped. Non-English speaking nations—particularly Germany—are now experiencing a surge, while postings for UK targets have cooled. This shift is driven by two key developments.
- AI-Powered Localization: Cyber criminals are using artificial intelligence to automate high-quality translations and cultural adaptations of their phishing and ransom notes. This erodes the historical protection that language barriers once provided.
- Evolving Victim Profiles: Larger "big game" targets in the U.S. and UK have improved their security postures or turned to cyber insurance to resolve incidents privately. As a result, threat actors are moving down the value chain to German Mittelstand companies that are less likely to have insurance and more likely to pay ransoms quickly.
GTI's Threat Intelligence Group (GTIG) has observed multiple criminal groups actively recruiting access brokers to infiltrate German companies. For instance, the threat actor known as Sarcoma has been targeting businesses in Germany since November 2024, offering a cut of extortion fees to those who provide initial access.
What This Means: Urgent Implications for Germany and Europe
The 92% spike in German data leaks signals a fundamental shift in cyber criminal strategy. With AI lowering the barriers to effective targeting, no region can rely on linguistic isolation. German authorities and businesses must treat this as a systemic threat, not a temporary spike.
"This is a wake-up call for the entire European ecosystem," said Collier. "Investments in cyber resilience, employee training, and incident response are no longer optional—they are existential."
Organizations should prioritize patching known vulnerabilities, implementing multi-factor authentication, and segmenting networks to limit the blast radius of an attack. The German government may also need to consider new reporting requirements for ransomware incidents, as underreporting remains a significant challenge.
For the Mittelstand, the path forward is clear: adopt the cybersecurity frameworks used by larger peers, or face a growing risk of extortion, data leaks, and reputational damage. The window to act is narrowing.