Full Report
Written by: Jamie Collier, Robin Grunewald Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023. Cyber Criminals Pivoting Back to Germany Germany moved to the forefront of European data leak targets in 2025. Following a 2024 period where the UK led in DLS victims, this pivot reflects a resurgence of the intense pressure observed across German infrastructure during 2022 and 2023. This targeting is not a result of the overall number of companies within Europe, as Germany has fewer active enterprises than France or Italy. Instead, its sustained appeal to extortion groups is driven by its status as an advanced European economy with an increasingly digitized industrial base. Figure 1: Percentage of data leaks affecting European nations in 2025 The speed of this escalation is particularly notable. Following a relative cooling of activity in 2024, Germany saw a 92% growth in leaks in 2025—a growth rate that tripled the European average. Figure 2: The number of German victims listed in data leak sites grew 92% in 2025 compared to 2024 While several factors influenced European ransomware trends in 2025, a striking contrast emerged in leak volumes. While shaming-site postings for UK-based organizations cooled, non-English speaking nations (particularly Germany) witnessed a surge. This shift reflects a convergence of several factors. The continued maturation of the cyber criminal ecosystem, including the use of AI to automate high-quality localization, is further eroding the historical protection offered by language barriers. However, this "linguistic pivot" is also supported by a shift in victim profiles. As larger "big game" targets in North America and the UK improve their security posture or utilize cyber insurance to resolve incidents privately, threat actors appear to be pivoting toward the "ripe markets" of the German Mittelstand (discussed in further detail later in this post). Google Threat Intelligence Group (GTIG) has also observed multiple cyber criminal groups post advertisements, seeking access to German companies and offering a proportion of any extortion fees obtained from victims. For example, dating back to November 2024, the threat actor known as Sarcoma has targeted businesses across several highly developed nations, including Germany. Figure 3: A forum post by an actor seeking a partnership to target German victims While the 2025 data marks a record year for German leak volume, it is important to contextualize these figures with a degree of caution. Relying solely on DLS numbers can be misleading, as threat actors typically only post victims who refuse to initiate or complete extortion negotiations. Public reporting on the decline in ransom payment rates may be partially fueling the steady increase in shaming site posts as a secondary pressure tactic. Consequently, while the surge in Germany remains a critical trend, these metrics should be viewed as one component of a broader, more complex threat landscape. The Diversifizierung of the Cyber Criminal Ecosystem 2025 was characterized by significant turbulence in the cyber criminal ecosystem, driven by internal conflicts and aggressive law enforcement actions against dominant "big game" operations like LOCKBIT and ALPHV. The resulting vacuum at the top of the ransomware market has led to a more crowded field of agile, mid-tier DLS brands. In Germany, this rebalancing is highly visible: as established brands receded, a wider pool of competitors emerged to absorb the market share. Figure 4: German victims on data leak sites rose sharply in 2025 Following the disruption of LockBit, groups such as SAFEPAY and Qilin have gained significant prominence within the German landscape. SAFEPAY, in particular, claimed breaches of 76 German companies in 2025—accounting for 25% of all German victim posts that year. Meanwhile, Qilin tripled its operational tempo in Germany during Q3 2025. While this increase aligns with Qilin's broader global uptick in activity, their consistent focus on German targets (including 13 victims posted already in early 2026) demonstrates that their presence in the German landscape grows in lockstep with their global expansion. Figure 5: Leaked data of a German company (name redacted) by SafePay No Such Thing as Too Small: Targeting of the Mittelstand There is a persistent myth that small businesses are "too small" to be targeted, a perception often fueled by the fact that large global corporations often dominate cyber crime headlines. However, the 2025 data tells a different story: organizations with fewer than 5,000 employees accounted for 96% of all ransomware leaks in Germany. While this figure largely aligns with the structural composition of the German economy, it underscores a concerning disconnect between public perception and actual targeting patterns. While "big game" hits make the news, the high volume of leaks among medium- and small-sized victims proves they are highly attractive targets for cyber criminals—often because they lack the extensive security personnel and specialized resources of their larger counterparts. The targeting of the Mittelstand creates a significant secondary risk for large German enterprises and multinationals. While a major corporation may have robust defenses, its broader ecosystem of suppliers and contractors often manages sensitive data or maintains privileged network access. To address these systemic gaps, large enterprises must evolve from passive monitoring to a proactive third-party risk management framework, implementing vendor tiering and enforcing multifactor authentication to neutralize the lateral movement favored by modern cyber criminals. Figure 6: Size of victim organizations found on data leak sites Targeting Beyond the Assembly Line Germany's industrial base remains the primary focus for cyber criminals with manufacturing accounting for 23% of all dark web leaks in 2025. However, the German cyber criminal landscape is characterized by its variety, with legal & professional services (14%), construction & engineering (11%), and retail (10%) all targeted. The most notable shift in the 2025 data is the growth within the legal & professional services sector. This increase is likely intentional: these firms represent high-value targets because they serve as trusted custodians of sensitive client data, including intellectual property, financial strategies, and M&A plans. This allows cyber criminals to extract significant extortion payments beyond their primary victim and gain downstream leverage over an entire client base. Figure 7: Data leak victims in Germany by industry Outlook The data from 2025 reveals that the recent surge in German leaks is not an isolated incident, but a return to the high-pressure levels previously observed in 2022 and 2023. This resurgence reflects a more volatile and linguistically diverse European threat landscape going into 2026. The 92% growth in German leaks, tripling the European average for 2025, proves that non-English-speaking nations remain a primary target for global extortion groups. The disruption of established brands like LockBit has rebalanced the ecosystem into a crowded field of agile data leak sites, such as SafePay and Qilin. These groups appear to be hitting Germany in lockstep with their global expansion, identifying the Mittelstand and German professional services as high-volume, target-rich environments. As threat actors continue to exploit complex supply chains, smaller organizations will remain critical pivot points for those aiming at the top of the industrial stack. Recommendations to assist in addressing the threat posed by ransomware are captured in our white paper, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment.
Analysis Summary
# Industry News: Germany Reclaims Position as Top European Cyber Extortion Target
## Summary
Germany has experienced a dramatic resurgence in cyber extortion, with data leak site (DLS) postings surging by 92% in 2025—tripling the European average. This shift marks a strategic pivot by global threat actors away from English-speaking markets toward the German *Mittelstand* and professional services sectors.
## Key Details
- **Date:** April 15, 2026 (Reporting on 2025-2026 data)
- **Companies Involved:** Google Threat Intelligence (GTI), SafePay, Qilin, Sarcoma, and the German *Mittelstand* (SMEs)
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
After a brief cooling period in 2024, Germany has surpassed the UK as the primary target for data leaks in Europe. This "linguistic pivot" is fueled by two primary drivers: the maturation of AI-driven localization tools, which eliminate traditional language barriers, and a concentrated effort by cybercriminals to find "ripe markets" outside of heavily defended North American and British Tier-MNCs.
The breakdown of major ransomware syndicates like LockBit and ALPHV has created a fragmented, highly aggressive ecosystem. New mid-tier "brands" such as SafePay (responsible for 25% of German leak posts in 2025) and Qilin have filled the vacuum. These groups are specifically targeting the *Mittelstand*—small-to-medium enterprises—with 96% of German victims having fewer than 5,000 employees. Furthermore, there is a distinct shift toward the legal and professional services sectors, as these firms provide "downstream leverage" over high-value client data.
## Business Impact
### For the Companies Involved
- **German SMEs:** Faced with existential threats; 2025 data suggests they are now the "default" target rather than an accidental one.
- **Google Threat Intelligence:** Strengthening its position as a primary observer of European geopolitical risk and supply chain vulnerability.
### For Competitors
- **Security Vendors:** There is a growing market for specialized solutions tailored for mid-sized industrial firms (OT/ICS security) that previously felt "too small" to be targeted.
- **Cyber Insurance:** Expected premium increases in the DACH region as private incident resolution becomes more difficult against aggressive "shaming" tactics.
### For Customers
- **Supply Chain Risk:** Large multinationals are increasingly vulnerable to "secondary risk" through their smaller German suppliers.
- **Data Privacy:** Customers of German legal and financial firms face increased exposure of sensitive IP and M&A strategies.
### For the Market
- **Diversification of Crime:** The ransomware market has moved from a "monopoly" (LockBit/ALPHV) to a "perfect competition" model with numerous agile, mid-tier players.
## Technical Implications
- **AI-Driven Localization:** Threat actors are using AI to automate high-quality German-language phishing and negotiation, removing the "safety net" of linguistic complexity.
- **Exfiltration over Encryption:** The focus on "Data Leak Sites" suggests a continued shift toward pure extortion (shaming) rather than just locking files, often as a response to better backup strategies.
## Strategic Analysis
- **Market Positioning:** Threat actors are positioning themselves as "specialists" in German infrastructure, with some (like Sarcoma) actively recruiting partners specifically for German access.
- **Competitive Advantage:** Groups like SafePay are gaining market share by maintaining a high "operational tempo" that larger, disrupted groups can no longer sustain.
- **Challenges:** The primary challenge for Germany is the structural composition of its economy; the highly digitized but resource-constrained *Mittelstand* presents a massive attack surface.
## Industry Reactions
- **Google Threat Intelligence:** Analysts note that relying on DLS numbers alone can be misleading but emphasize that the 92% growth represents a "critical trend" that cannot be ignored.
- **Market Response:** There is a notable "public reporting" fatigue regarding ransom payments, which is ironically driving hackers to use public shaming sites more aggressively to regain leverage.
## Future Outlook
- **2026 Predictions:** The trend is expected to persist as Qilin and SafePay continue their expansion.
- **Watch For:** Increased regulatory pressure from German and EU authorities on "supply chain hygiene" and mandatory third-party risk management for larger enterprises.
## For Security Professionals
Practitioners must move away from the "Big Game" defense mindset. For those in the German market or those with German suppliers:
1. **Prioritize Third-Party Risk:** Implement vendor tiering and enforce MFA across the entire supply chain.
2. **Review Localization Defense:** Do not rely on "broken German" as a red flag for phishing; AI has made this indicator obsolete.
3. **Mittelstand Focus:** Smaller teams must adopt proactive "reach back" capabilities or managed services to compensate for lack of in-house headcount.