Ransomware attacks against European organizations increased during the first months of 2026, with third-party suppliers becoming a major entry point for attackers. Black Kite examined 2,066 ransomware incidents across 31 countries between January 2025 and April 2026 in its 2026 European Cyber Risk Report.
Country distribution of ransomware attacks (Source: Black Kite)
“Three forces are converging on European organisations at once: ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third-party risk,” said Dr. Ferhat Dikbiyik, Chief Research and Intelligence Officer, Black Kite.
Publicly disclosed incidents increased 55.1% between January and April 2026 compared with the same period in 2025. The average monthly number of incidents rose from 108 during the first half of 2025 to 171 during the first four months of 2026.
Germany recorded the highest number of incidents. The UK, France, Italy, and Spain followed. These five countries accounted for nearly 70% of all recorded ransomware incidents. Manufacturing was the hardest-hit sector. IT services ranked among the primary targets because attacks on service providers can affect many downstream customers.
The Qilin ransomware group operated in 26 of the 31 countries included in the analysis, giving it the widest geographic reach of the ransomware groups covered by the research.
Manufacturing accounts for the largest share of incidents
Manufacturing accounted for 27.9% of publicly disclosed ransomware incidents, making it the most targeted industry. IT services ranked as the most targeted subindustry because compromising a single provider can give attackers access to multiple downstream customers. Professional services, healthcare, retail, and transportation also remained frequent ransomware targets as cybercriminals increasingly focused on organizations with broad digital connections and high operational impact.
Third-party compromises are becoming a major source of cyber risk across Europe. Instead of attacking organizations directly, cybercriminals target suppliers and service providers to reach multiple victims through a single breach.
The report identified 64 organizations that were compromised through third-party incidents. In one case, a breach at a software provider affected dozens of downstream organizations and exposed the personal data of more than one million people, demonstrating how a single supplier can trigger widespread disruption.
Regulations place greater emphasis on supplier security
European cybersecurity regulations are making organizations more accountable for the cyber risks posed by their suppliers. Frameworks including NIS2 and DORA require organizations to assess, monitor, and manage supplier cyber risk as part of operational resilience programs. Organizations must demonstrate that they understand how supplier vulnerabilities could affect their operations and have processes in place to identify, assess, and reduce those risks
Dikbiyik said some of Europe’s most significant ransomware incidents were defined by their downstream impact across interconnected organizations. He added that NIS2 and DORA were increasing pressure on organizations to better understand cyber risk across their supplier ecosystems and identify where risk is concentrated.
