Germany Overtakes UK as Top European Target for Ransomware Data Leaks
Germany saw a 92% rise in data leak site posts in 2025, overtaking the UK as Europe's top ransomware target, driven by Mittelstand businesses, AI localization, and cybercriminal ecosystem shifts.
The Reversal in Europe's Data Leak Landscape
Germany has reclaimed its position as the primary target for cyber extortion in Europe, according to new data from Google Threat Intelligence. In 2024, the United Kingdom had led the region in the number of victims listed on data leak sites (DLS). However, by 2025, Germany surged ahead with a 92% increase in such postings, a growth rate three times higher than the European average. This marks a return to the intense pressure observed on German infrastructure during 2022 and 2023.
Germany's Resurgence as a Cyber Extortion Hotspot
The speed and magnitude of the shift are striking. While DLS postings for UK-based organizations cooled, non-English-speaking nations—especially Germany—saw a sharp rise. Google Threat Intelligence data reveals that overall global DLS posts increased by nearly 50% in 2025, but German infrastructure was hit harder and faster than its neighbors. This escalation is not simply a reflection of company numbers; Germany has fewer active enterprises than France or Italy. Instead, the country's sustained appeal stems from its advanced economy and highly digitized industrial base.
The Scale of the Surge
In 2024, relative calm followed the earlier peaks, but 2025 reversed that trend. The 92% growth in German victims listed on leak sites outpaced all other European nations. Figure 2 in the original report shows this dramatic uptick. For context, the European average growth was just over 30%. This suggests that cybercriminal groups have refocused their efforts on German targets with renewed vigor.
Why Germany? The Attractiveness of the Mittelstand
Several factors converge to make Germany a ripe market. A key element is the Mittelstand—the country's vast network of small and medium-sized enterprises. Many of these companies have digitized operations but lack the robust security defenses of larger corporations. Cybercriminal groups are increasingly pivoting away from tough targets in North America and the UK, where security postures have improved and cyber insurance often enables private settlements. Instead, they are exploiting the ripe market of the Mittelstand, whose businesses often cannot afford lengthy negotiations or prefer not to disclose breaches.
Language Barriers Diminish with AI
Historically, language barriers offered some protection for non-English-speaking countries. However, the maturation of the cybercriminal ecosystem, including the use of AI to automate high-quality localization, has eroded this advantage. Ransomware groups can now craft convincing ransom notes and data leak pages in German, allowing them to target victims without needing native-language speakers. This 'linguistic pivot' has opened up new opportunities for extortion.
Cybercriminal Ecosystem Adapts
Google Threat Intelligence Group has observed multiple cybercriminal groups posting advertisements seeking access to German companies, offering a cut of any extortion fees. For example, the threat actor known as Sarcoma has been targeting businesses in highly developed nations—including Germany—since at least November 2024. This indicates a deliberate shift in strategy, as actors explicitly search for initial access in Germany.
Cyber Insurance and Security Posture Shifts
The decline in UK-targeted leaks is partly due to improved security postures among larger organizations and the use of cyber insurance to resolve incidents privately. When victims pay ransoms without public shaming, DLS postings for that region diminish. Consequently, threat actors follow the path of least resistance—moving to regions where victims are more likely to be listed and pressured into paying. Germany's Mittelstand fits that profile.
Looking Ahead
The data underscores a dynamic threat landscape. As defenses improve in traditional targets, cybercriminals adapt by shifting to new geographies and exploiting vulnerabilities in digitized economies. Germany's experience in 2025 serves as a warning: no nation is immune, and advanced economies with strong industrial digitization will remain attractive targets. Organizations—especially in the Mittelstand—must bolster their defenses and consider external threat intelligence to anticipate these evolving tactics.
For further reading, see our earlier analysis on the Mittelstand vulnerability and the role of AI in localization.