The year 2025 was a period of change in the tactics of cybercriminal groups. The threat landscape in Europe evolved toward more precise, targeted operations, while organizations simultaneously became more resilient to traditional ransom extortion methods. Below, we present key data and trends summarizing the past year.
The threat landscape in the European Union
According to data collected in the ENISA Threat Landscape 2025 report and year-end market analyses, the structure of incidents in the EU was as follows:
- dominance of DDoS attacks: these accounted for 77% of all reported events, serving as the main tool for hacktivist groups. Although their scale was massive, actual service disruption was recorded in only 2% of cases (Source: ENISA 2025),
- ransomware as the primary threat: as many as 81.1% of cyber incidents involved ransomware. Over the course of the year, more than 100 active variants were identified (Source: ENISA 2025),
- dominance of professionals: the cybercrime market was dominated by two major groups: Akira (34% of attacks) and Qilin (10%). By the end of 2025, smaller hacking teams began merging with larger entities. For companies, this means facing a better-organized adversary with a budget for breaking security defenses and fewer technical errors, making data recovery more difficult,
Profitability of attacks in 2025
Data from the final quarter of the year confirms the following trends in the fight against extortion:
- the percentage of victims paying ransoms maintained a downward trend, reaching a record low of 21% in Q4 2025 (Source: Coveware Q4 2025),
- drop in average ransom: following a 66% drop in the average payment amount in the third quarter (to USD 376,941), data from Q4 2025 confirms that cybercriminals are increasingly targeting smaller entities where amounts are lower but easier to enforce (Source: Coveware Q3 2025; Coveware Q4 2025),
- data exfiltration (theft): in 2025, file encryption alone ceased to be enough for criminals. The standard became so-called double extortion, which relies on a precise sequence of actions:
- theft: first, hackers quietly copy sensitive data from the company to their servers,
- encryption: only after securing the "loot" do they lock the victim's systems,
- blackmail: they issue an ultimatum: "If you do not pay the ransom for decryption, we will publish your stolen data on the Internet",
This represents a significant change in the modus operandi of cybercriminals over the years, as encryption was initially observed as the primary tactic. This is precisely why exfiltration is so dangerous—it transforms a primarily technical problem (data recovery) into a legal and reputational one (GDPR data leaks, loss of client trust).
State threats and new tactics
The year 2025 also brought an intensification of APT (Advanced Persistent Threats) activities linked to Russia and China. Unlike typical cybercriminals who attack for quick profit, these groups operate quietly and over the long term, capable of hiding within a victim's systems for months to steal state or economic secrets. The CERT-EU report indicates that 44% of monitored incidents were espionage-related (Source: CERT-EU 2025).
A new, disturbing trend that solidified towards the end of 2025 is the active recruitment of employees (insiders) by groups such as Medusa. Commissions reaching 15% of the ransom value were offered for sharing credentials to the corporate network (Source: Coveware Q3 2025; Coveware Q4 2025). The sectors most at risk are public administration, energy (over 4,000 incidents annually), and healthcare (Source: CERT Polska; Eurelectric/EnergiCERT).
We will publish our recommendations and check list in our next article.