Berlin, Germany — Cyber extortion attacks against German organizations have skyrocketed, with data leak site (DLS) posts targeting the country jumping 92% in 2025 compared to the previous year, according to new data from Google Threat Intelligence (GTI). The surge has propelled Germany past the United Kingdom to reclaim its position as Europe's most targeted nation for ransomware-related data leaks.
“Germany is facing a cyber criminal renaissance,” warned Jamie Collier, senior threat intelligence analyst at Google. “The speed and scale of this escalation—tripling the European average growth rate—shows that attackers have identified the country as a high-value, vulnerable market.”
The Inverted Pyramid: Key Facts
Germany’s 92% year-over-year increase in DLS victims far exceeded the European average growth of roughly 30%. The nation now accounts for a larger share of European data leaks than any other country, a position it last held in 2023 before the UK briefly took the lead in 2024.
This targeting is not due to a higher number of companies—Germany has fewer active enterprises than France or Italy. Instead, attackers are drawn by Germany’s advanced economy and highly digitized industrial base, particularly its famed Mittelstand (small and medium-sized enterprises).
“Cyber criminals are following the money,” said Robin Grunewald, GTI’s lead researcher on European threats. “The German Mittelstand is a ripe market—digitally mature but often under-resourced for cybersecurity, making it an ideal target for extortion.”
Background
Ransomware attacks have evolved significantly since 2022, when Germany first experienced a wave of high-pressure extortion. That wave cooled in 2024 as attackers pivoted to the UK and other English-speaking nations. However, 2025 marks a return to Germany as the primary focus within Europe.
Several factors explain the shift. First, improved security postures among “big game” targets in North America and the UK have forced criminals to seek softer targets. Second, the growing use of AI to automate high-quality localization has eroded the historical protection offered by language barriers, allowing non-English speaking nations like Germany to be targeted more effectively.
GTI has also observed cyber criminal groups openly advertising for access to German companies, offering a cut of extortion fees. For instance, the threat actor known as Sarcoma has been targeting German businesses since November 2024.
What This Means
For German businesses, the 92% spike is an urgent wake-up call. The Mittelstand, which forms the backbone of the German economy, must immediately shore up defenses—especially around email security, multi-factor authentication, and incident response plans.
“This is not a temporary blip,” cautioned Collier. “We expect the pressure on Germany to persist and likely intensify as attackers double down on a proven formula. Companies that delay investing in cyber resilience will pay a much higher price—literally.”
On a broader European scale, the data highlights a worrying trend: non-English speaking nations are increasingly vulnerable. Organizations across France, Italy, and Spain should take note, as the same factors driving attacks in Germany could soon be replicated elsewhere.
The key takeaway: cyber extortion is no longer just an English-language problem. The cyber criminal ecosystem has matured, and every nation with a digitized economy is now in the crosshairs.