Ransomware attacks rose 55.1% year‑over‑year in the first four months of 2026 and reached an average of 171 incidents per month, according to analysis published by Black Kite.
Black Kite’s headline numbers
Black Kite’s 2026 European Cyber Risk Report, published on June 25, found a sharp uptick in publicly disclosed ransomware incidents across Europe. The company’s analysis showed a 55.1% increase in the first four months of 2026 compared with the prior year, with an average of 171 recorded incidents per month during that period. The report also identified a concentrated geographic pattern: five countries — Germany (18%), the UK (17%), France (12%), Italy (12%), and Spain (10%) — together accounted for 70% of all recorded ransomware incidents in the dataset.
Qilin, Akira and SafePay: the leading ransomware families
The most common ransomware family in Black Kite’s dataset was Qilin. Qilin targeted organizations in 26 of the 31 countries analyzed and was behind 372 recorded incidents — more than twice the activity attributed to the next most prominent family, Akira, which accounted for 159 incidents. SafePay was third with 80 reported incidents, but Black Kite noted that SafePay activity was geographically concentrated, appearing to focus on Germany rather than spreading broadly across the continent.
Manufacturing, regional hubs and the cost of disruption
Manufacturing emerged as the most targeted sector in the report, accounting for 28% of all ransomware incidents across Europe. Black Kite linked SafePay’s German focus to the country’s industrial heartlands — naming regions such as the Ruhr Valley and Bavaria — which are major hubs for manufacturing and industrial companies. The report underscored how the impact of attacks on major manufacturers can ripple beyond a single firm: Black Kite cited the Jaguar Land Rover incident in 2025 as an example of a disruptive, high‑cost event. That attack became the costliest cyber‑attack to hit the UK and, as part of remediation, over 30,000 staff were forced to reset their passwords.
Supply chains as an attack path — Miljödata and downstream impact
Black Kite’s analysis highlighted a notable shift in attacker behavior: while direct attacks on victim networks remained common, cybercriminals increasingly targeted software suppliers and third‑party supply chains as an avenue for ransomware. Researchers traced more than 30 ransomware incidents back to an August 2025 compromise of Swedish software supplier Miljödata. As Dr. Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, put it: “Some of Europe's most significant ransomware incidents are defined less by the initial victim than by the scale of their downstream impact across an interconnected ecosystem.”
What this means for manufacturers, regulators, and security teams
- Manufacturers and procurement leaders: With manufacturing accounting for 28% of incidents and German industrial regions singled out, companies in those sectors will face heightened exposure and likely prioritise tracking the security posture of suppliers and partners.
- Policymakers and regulators: Black Kite highlighted regulatory pressure as one of three converging forces, noting that “regulations are placing greater emphasis on third‑party risk.” Regulators can expect evidence of supply‑chain driven incidents to influence enforcement and guidance.
- Technologists and security teams: The report recommends practical protections — swift patching of vulnerabilities (especially in supply‑chain software), engaging boards on cyber risk, and continuous monitoring of new threats — giving clear actions for defenders to prioritise.
Dr. Dikbiyik summed up the convergence driving the trend: “Ransomware is accelerating, supply chains are becoming a primary attack path, and regulations are placing greater emphasis on third‑party risk.” Black Kite’s findings point to a Europe in which ransomware volume, concentrated national and sectoral exposure, and supply‑chain linkages combine to amplify downstream harm. The company’s final, concrete prescriptions — rapid patching, board engagement, and continuous monitoring — underline that resilience will depend not only on defending individual networks but on understanding and interrupting how risk travels through software suppliers and interconnected ecosystems.
