Euro-economies under attack: Italy third for cyber blackmail

UK, Germany, France and Spain also among the targets in 2025. Old Continent companies account for 22% of global victims

by Ivan Cimmarusti

11 November 2025

4' min read

Translated by AI

Versione italiana

Key points

EU trend
Hybrid Warfare and Telegram Channels
The Italian situation

4' min read

Translated by AI

Versione italiana

Twenty-four hours and a company goes from operational to seized. In one case, 51 seconds were all it took. The outcome remains the same: systems breach, database encryption, stopped lines. Then the cyber-remail: 'Pay up and get your data back'. In Italy - amidst a fragile economic fabric and digital defences full of flaws - the bill arrives quickly: many SMEs pull down their shutters and send their workers out of work. The damage doubles: social, for the families of the employees; economic, for yet another productive reality that goes out of business.

We know the name from the chronicles: ransomware. The impact, however, remains nebulous. One number brings it into focus: in Europe, it has already grown 48% this year compared to 2024. It mainly affects the most economically attractive countries: the United Kingdom and Germany, with Italy third followed by France and Spain. Here the standard operation is repetitive and ruthless: in 92% of cases the raid combines file encryption and data exfiltration. The targets do not change: manufacturing, professional and technological services, industry. With local nuances. In Italy, the most affected are manufacturing, retail, academia and industry.

Thus the report European Threat Landscape 2025 by US cybersecurity company CrowdStrike, which was presented yesterday.

EU trends

Between January 2024 and September 2025, Europe experienced a surge of attacks conducted by 53 eCrime groups: "The continent ranks second in the number of incursions, just behind North America, andEuropean companies account for almost 22% of global victims," explains Luca Nilo Livrieri, senior director, sales engineering southern Europe at CrowdStrike. Showcasing them are the Dls (Data leak sites), the dark web noticeboards where names of affected companies, ransom demands, countdowns and samples of stolen data are paraded to raise the pressure. The thermometer is rising: reports on Dls by entities based in Europe are growing by almost 13% year-on-year, from around 1,220 to 1,380 in 2025.

Why this centrality? Not only because of the economic weight of European countries, as Livrieri explains. There is even a regulatory factor that attackers bend to their advantage: the rigidity of theGdpr (privacy protection) and its penalties for non-compliance. 'The attacker threatens to report the company for regulatory non-compliance in the event of a data breach, prompting it to pay the ransom'.

Hybrid Warfare and Telegram Channels

Then there is the political leverage: 'Some collectives have expressed positions and threatened politically motivated activities. Wizard Spider, for example, supported the Russian invasion of Ukraine in 2022'. On the even more hostile perimeter, state actors also move. CrowdStrike intelligence has identified actions by Unit 29155, a clandestine cell of the Russian services trained in hybrid warfare.

This is where another piece of the puzzle comes in: the recruitment on Telegram channels of 'disposable' agents. We are talking about operational manpower employed for low-profile hostile actions, designed to wear out quickly and leave few traces. In this scheme, the utility of the 'disposable' is not a detail but the lintel of plausible deniability. Operations conducted by expendable figures allow the Russian services to shield paternity.

Around this nucleus also moves a constellation of other groups that can be traced back to North Korea, Iran, China, Kazakhstan, India and now Turkey. Different vectors, same trajectory: multiply the attacks, fragment the attributions.

The Italian situation

And where is the weak point in Italy? Apart from the strategic companies, which have to comply with Nis 2 rules, there are the SMEs. "They are far behind," warns Livrieri. The crux of 'modern' attacks, in fact, is that the signals are 'difficult to intercept, we need solutions capable of reading multi-domain or cross-domain patterns: minimal anomalies that, put together, reveal an attack in progress'.

Emerging vectors, Livrieri continues, 'include false Captcha: interfaces designed to distinguish humans and bots that, in practice, can trigger the downloading of malicious files'.

Not only that. There is also vishing, which will most likely become a significant threat in the near future in Italy as well. It is, adds Livrieri, 'a social engineering technique in which an adversary calls the victim pretending to be someone else in order to convince them to provide credentials or perform a specific action'.

The answer, for those with lean workforces, is pragmatically industrial: 'For small and medium-sized companies,' Livrieri concludes, 'it is more convenient to outsource the services of cybersecurity. It is a difficult vertical competence to have'. Not least because criminals choose surgical timeframes that are ill-suited to small and medium-sized businesses: 'Usually the attacks come at night, at the end of the week or before a bridge', to maximise the damage. The consequence is a non-negotiable requirement: protection systems that work 24x7, 365 days a year.

At the end of the day, a real choice remains, especially for those who run the country with ten, fifty, a hundred employees: either one continues to hope for luck - virtual doors half-closed, shifts uncovered, outdated antivirus - or one accepts that risk is an industrial cost like energy or logistics.

Ivan Cimmarustigiornalista
- Email
Luogo: Roma
Lingue parlate: Italiano, inglese
Argomenti: Sicurezza, giudiziaria, inchieste, giustizia tributaria
Premi: Nel 2011 tra i vincitori del Premio Internazionale Antimafia Livatino-Saetta
Scheda autore
Trust project