Ransomware is among the most damaging forms of cyberattack.
It can bring large corporations or hospitals to a standstill, shut down pipelines, and cause damage measured in billions of euros.
In 2025, global efforts to reduce the impact of ransomware attacks and expose the criminal networks behind them continued.
While the number of ransomware attacks worldwide increased, average profitability per attack declined.
Obligation to report ransom payments
In 2025, Australia became the first country to require certain sectors to report their decisions to pay ransom demands in the event of a ransomware attack. The reporting requirement aims to give the state a clearer picture of the scale and impact of ransomware attacks. It is also likely intended to encourage companies subject to the obligation to refrain from paying ransoms.
So far, Australia’s approach remains the exception, but many countries follow an unwritten rule of not paying ransoms in cases where the public sector is targeted. Reports from several cybersecurity providers suggest that private companies are also increasingly reluctant to negotiate with criminals and pay ransoms. This indicates growing maturity in addressing cyber crises.
The number of ransomware attacks worldwide is nevertheless on the rise. While the impact of ransomware attacks often goes unnoticed by the general public, an attack in September against Collins Aerospace’s check-in and boarding software caused chaos at several major European airports. Airlines were forced to check in passengers and luggage manually, resulting in long queues, missed connecting flights, and the cancellation of dozens of flights.
In September, a ransomware attack also disrupted operations at Asahi, one of the world’s largest beverage producers, headquartered in Japan and best known for its beer. The attack was claimed by the Qilin ransomware group, which had attacked the South Korean conglomerate SK Group a few months earlier.
In the United Kingdom, several prestigious retail chains were targeted by attacks last year, including Marks & Spencer, Harrods, and Co-op. Marks & Spencer incurred the most significant financial loss, estimated at approximately 300 million pounds, following a disruption to its online sales for several weeks. In France, cyberattacks targeted luxury brands Cartier and Dior.
The British car manufacturer Jaguar Land Rover suffered a severe economic and reputational blow after a cyberattack forced it to halt production for five weeks at several plants in the UK and abroad. The company also faced difficulties in delivering finished vehicles and spare parts, and attackers stole sensitive data from its systems.
The attack was claimed by the group Scattered Lapsus$ Hunters, but the company has not disclosed the perpetrators or detailed information. The attack on Jaguar Land Rover is estimated to have cost the UK economy approximately 1.9 billion pounds, making it the most costly cyberattack in the country’s history.
Supply chain attacks continued
In 2025, the trend of compromised supply chains and critical service providers persisted, significantly widening the cross-border impact of attacks. In August, criminals successfully attacked Salesforce, a customer relationship management platform widely used in the United States and elsewhere, and stole sensitive data from hundreds of companies and organisations that use the software. Victims included several international corporations, such as Google, Toyota, FedEx, Qantas and Allianz Life.
In attacks of this kind, criminals typically extract as much data as possible and then attempt to extort ransoms from the affected organisations one by one. The breach did not occur through Salesforce’s core platform but exploited a vulnerability in Salesloft Drift, a marketing tool integrated with it. Attackers continually search for weak links in large systems, whose management, protection and interdependencies are becoming increasingly complex for businesses and public institutions alike.
Service outages felt around the world
Triggering a domino effect that disrupts the operations of hundreds of organisations and companies does not always require attackers. On 20 October, digital services at more than a thousand companies were disrupted across several parts of the world. The incident originated in an Amazon Web Services (AWS) data centre in Northern Virginia, and subsequent analysis showed that the root cause was a failure in the Domain Name System (DNS) management service.
For up to 14 hours, the outage affected banks, airlines, entertainment platforms and logistics companies, impacting millions of people. The resulting damage is estimated in the billions of dollars. Some services used in Estonia, including the Signal messaging app, were also briefly affected.
Just a month later, on 18 November, another high-impact service disruption caused frustration worldwide. Due to a technical failure, network services operated by the global technology company Cloudflare were disrupted, with knock-on effects in Estonia as well. For a couple of hours, news portals such as Delfi, Eesti Ekspress and Õhtuleht were unavailable, and users were temporarily unable to purchase bus and train tickets via the Lux Express and Elron websites. According to a Cloudflare blog post, the outage was caused by an error during a routine database update, which triggered a cascade of technical failures affecting a large portion of the internet.
Three weeks later, on 5 December, Cloudflare experienced another service disruption, lasting approximately 20 minutes. It was caused by an internal configuration change the company had made to its firewall. The change was necessary to protect customers against the exploitation of a newly discovered critical vulnerability, but parts of Cloudflare’s infrastructure were unable to handle it.
Even the largest operators encounter such incidents, yet we are not accustomed to recognising how dependent everyday life has become on a small number of global service providers.
State-backed groups and hacktivists
In our previous annual reviews, we have noted that geopolitical tensions shape cyberspace and that several states use highly capable hacker groups to pursue their strategic objectives. Such activity is usually covert, and the success of these groups depends on how well they can conceal their tracks and remain undetected in networks for extended periods.
When an attack is uncovered, the targeted state may choose to keep it confidential or, conversely, to attribute it publicly, often accompanied by sanctions or other legal measures. In 2025, several such cases made the headlines.
While public attribution tends to complicate the work of most state-backed threat actors, ideologically motivated hacktivists thrive on attention. They aim to create confusion, fear and public discontent, and they often seek to amplify the perceived impact of their attacks through media coverage. In 2025, hacktivist denial-of-service attacks against government websites and other critical sectors continued in several countries, but their overall impact remained limited.
For greater effect and visibility, some hacktivist groups experimented with the manipulation of industrial control systems. In August, Norway’s security service attributed an attack on the control systems of a dam regulating water flow in south-western Norway to pro-Russian hackers. Fortunately, no significant damage was done.
On 29 October, Canada’s cybersecurity centre published a threat assessment describing successful hacktivist attempts to manipulate pressure equipment at a regional water facility and to alter the temperature and humidity levels of a grain drying silo on a Canadian farm.
In mid-December, Denmark’s intelligence service revealed that a Russian hacktivist group had carried out a cyberattack against a local water utility at the end of 2024. As a result of the attack, 50 households were left without water for several hours.
In December, the US Cybersecurity and Infrastructure Security Agency (CISA) also warned that pro-Russian hacktivists were conducting opportunistic attacks against critical infrastructure in the United States and other countries. Although the growing frequency of such attacks is a cause for concern, hacktivist capabilities remain relatively unsophisticated, and cybersecurity measures applied to industrial systems have so far helped prevent more serious incidents.
Many state-backed attacks attributed to Russia
| Month | Attribution |
|---|---|
| January | The EU added three members of Russia’s military intelligence Unit 29155 to its sanctions list, citing cyberattacks carried out against Estonia since 2020. Estonia had publicly attributed the attacks earlier, in September 2024. |
| April | France has attributed several past cyberattacks to the group APT28, which is linked to Russian military intelligence. These included the theft and leaking of emails from Emmanuel Macron’s campaign team ahead of the 2017 presidential election, as well as infiltration attempts targeting organisations involved in organising the 2024 Paris Olympic Games. |
| May | The Czech government announced that it had identified links between the Chinese state-backed group APT31 and cyberattacks against the Czech Ministry of Foreign Affairs. The attacks began in 2022, when the Czech Republic held the presidency of the Council of the European Union. |
| December | The UK government imposed sanctions on Russia’s military intelligence service, the GRU, in its entirety and on eight cyber intelligence officers by name. The measures were linked to the attempted poisoning of former Russian double agent Sergei Skripal in Salisbury in 2018 and to earlier cyberattacks against the phone of his daughter, Yulia Skripal, carried out for intelligence purposes. |
| December | The UK government also sanctioned two Chinese technology companies, known as i-Soon and Integrity Tech, for organising and supporting cyberattacks in the United Kingdom and other countries. |
AI in the service of attackers
Both state-backed groups and cybercriminals are increasingly using AI tools to enhance and scale their activities, with social manipulation playing a growing role across many types of attack.
The scheme known as the North Korean IT worker fraud expanded its reach last year. Using AI-generated video and image material and fake identities, hundreds of impostors attempted to secure jobs at global companies. The scheme also operated in reverse: North Korean threat actors posed as employers on platforms such as LinkedIn and approached developers in other countries with fictitious job offers. The test assignments they sent as part of the recruitment process contained embedded malware.
The objectives of the North Korean scheme vary. They include stealing internal information from technology companies, infecting systems with malware for later extortion, or securing employment in Western companies in order to generate income for the benefit of the North Korean state.
In July 2025, a US citizen who had assisted the scheme was sentenced to nine years in prison. She had helped North Koreans obtain jobs at US companies using stolen identities.
According to Google’s analysis, North Korean IT workers also targeted several European defence industry companies last year, with one individual using at least 12 different fake identities. Recruiters at some international companies operating in Estonia have also reportedly encountered the scheme.
As if hiring IT staff were not challenging enough already, there is now the added risk that offering remote work to a candidate with an impeccable CV and a convincing video interview may inadvertently support North Korea’s nuclear programme.
Cyberspace becomes more unpredictable
In summary, 2025 saw the continuation of several established trends in the global cyber landscape: large-scale attacks carried out via service providers, ransomware attacks that disrupted everyday life and involved data theft and extortion, and the growing use of social manipulation to facilitate cyberattacks.
Outages triggered by a handful of technical errors disrupted people’s lives in places as distant as Valga County and California, underscoring that even the most capable operators cannot eliminate disruptions entirely.
In a geopolitically tense world, state-backed cyber threat actors remain active. At the same time, both targeted states and companies that analyse cyber threats have become more willing to publicly expose such activity.
Rapid advances in AI tools create new opportunities for all actors, while also increasing unpredictability.
Do not feed the criminal
For years, the business model of cybercrime has shifted toward greater specialisation. Different stages of an attack – from target selection and initial access to malware deployment and ransom demands – can be purchased as a service under the so-called ransomware-as-a-service (RaaS) model. To undermine the profitability of this criminal business, governments are seeking to reduce the likelihood that ransoms will be paid.
Last updated: 11.02.2026
