Ransomware Shifts to Europe, Qilin Emerges as Top Threat in Q2 2025
The global ransomware landscape has seen a shift in Q2 2025, with a notable increase in attacks targeting Europe and a new player, Qilin, emerging as the most active group in the industrial sector. The manufacturing industry bore the brunt, with 428 attacks, while transport and logistics followed with 77 cases.
Worldwide, 657 industrial ransomware attacks were recorded in Q2 2025, a slight decrease from the previous quarter. However, the number of attacks in Europe rose from 135 to 173 cases during the same period, with Germany, the UK, and Italy being particularly affected. Germany, in particular, faced targeted attacks on key industrial sectors and critical infrastructures.
The construction industry was also heavily targeted, with 110 attacks worldwide. Machinery and plant engineering recorded 63 cases, followed by automotive with 38, and chemical industries with 20.
In March 2025, Qilin was taken over by the North Korean state-sponsored hacker group Moonstone Sleet. Qilin became the most active in the industrial sector during Q2 2025, with 101 documented attacks, accounting for around 15% of global reported incidents. Qilin exploits vulnerabilities in Fortinet products, such as CVE-2024-21762 and CVE-2024-55591, to facilitate deep attacks on internal networks. The group operates a Ransomware-as-a-Service platform, offering legal advisory services and internal media teams to support affiliates.
To mitigate risks, companies are advised to implement the five critical measures of the SANS Institute's incident response framework.
The rise in ransomware attacks, particularly in Europe, and the emergence of Qilin as a significant threat, underscore the need for robust cybersecurity measures. Companies are urged to stay vigilant, patch vulnerabilities promptly, and follow established incident response frameworks to protect their operations and data.
