Germany became the primary focus for cyber extortion in Europe in 2025, with data leak site postings affecting the country rising 92% year‑over‑year and outpacing the regional average. The disruption of major ransomware brands rebalanced the criminal ecosystem, enabling mid‑tier groups like SafePay and Qilin to aggressively target the German Mittelstand and professional services. #SafePay #Qilin
Keypoints
- Germany experienced a 92% increase in data leak site (DLS) postings in 2025, tripling the European average.
- The shift of DLS activity from the UK to Germany is driven by targeting of the digitized industrial Mittelstand rather than sheer number of firms.
- Law enforcement disruption of dominant brands like LockBit and ALPHV created a fragmented ecosystem that mid‑tier operators (e.g., SafePay, Qilin) have exploited.
- Organizations with fewer than 5,000 employees accounted for 96% of German ransomware leaks, showing heavy focus on SMEs.
- Manufacturing was the most targeted sector (23%), while legal and professional services saw notable growth as high‑value targets.
- Actors are using localization (including AI automation) and forum recruitment to find and pressure German victims via public shaming on DLS.
MITRE Techniques
- [T1486 ] Data Encrypted for Impact – Ransomware and extortion are central to the incidents described, with established brands and encrypted impact driving leak postings (‘the disruption of established brands like LockBit has rebalanced the ecosystem into a crowded field of agile data leak sites, such as SafePay and Qilin.’)
- [T1195 ] Supply Chain Compromise – Attackers exploit suppliers and contractors to pivot to larger victims and gain privileged access (‘its broader ecosystem of suppliers and contractors often manages sensitive data or maintains privileged network access.’)
- [T1078 ] Valid Accounts – Use of stolen or valid credentials for access and lateral movement is implied, and the report recommends MFA to mitigate this risk (‘implementing vendor tiering and enforcing multifactor authentication to neutralize the lateral movement favored by modern cyber criminals.’)
- [T1021 ] Remote Services – Lateral movement methods favored by modern cyber criminals are referenced, indicating use of remote service techniques to move across networks (‘implementing vendor tiering and enforcing multifactor authentication to neutralize the lateral movement favored by modern cyber criminals.’)
- [T1567 ] Exfiltration Over Web Service – Data exfiltration followed by public posting on data leak sites and DLS increases are described, indicating exfiltration to web-based leak platforms (‘data leak site (DLS) posts rose almost 50% globally in 2025’ and ‘leaked data of a German company (name redacted) by SafePay’)
Indicators of Compromise
- [Threat actor names ] named groups observed targeting Germany – SafePay, Qilin, and Sarcoma
- [Data leak site / victim listings ] public leak posts and claimed breaches used as observable indicators – “leaked data of a German company (name redacted) by SafePay”, SAFEPAY claiming 76 German companies
- [Forum posts / advertisements ] recruitment and access‑for‑hire postings targeting German victims – forum advertisement seeking partnership to target German victims (Sarcoma example), and other forum ads soliciting German access
Read more: https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape/