SECTION 08
Methodology
This report was assembled by the Black Kite Research Group™ from several independent lines of evidence: Ransomware tracking, vendor ecosystem analysis, the European regulatory landscape and cyber risk telemetry. Together, they trace how ransomware reaches European organisations, both at their own perimeter and through the suppliers they depend on.
1. Data Sources and Scope
The report integrates several streams of intelligence curated by the Black Kite Research Group between January 2025 and April 2026. The ransomware data covers confirmed, publicly disclosed ransomware and data extortion incidents, retained once an incident was ready for publication and attributable to ransomware activity, with attribution to a named threat group recorded where it could be established. Vendor and third-party data was derived from Black Kite's telemetry and publicly available information, supplemented by intelligence gathered from surface, deep and dark web sources.
2. Geographic and Temporal Scope
The study covers 31 countries: The 27 European Union member states together with the United Kingdom, Switzerland, Norway and Turkey. After removing incidents falling outside the 31-country scope, the working base is 2,066 incidents. These are analysed across three periods, the first half of 2025 (648 incidents), the second half of 2025 (734), and January to April 2026 (684). Because the final window is four months rather than six, comparisons that turn on pace are expressed as a monthly rate so the periods remain comparable.
3. Industry Classification
Industry and subindustry classifications follow the North American Industry Classification System (NAICS). Sector-level figures are built from the two-digit NAICS sector and subindustry analysis from the more detailed NAICS codes, so that a sector such as manufacturing is measured by its NAICS classification rather than by a broader label.
4. Victim Counting and Standardization
To prevent inflation of the figures, the Black Kite Research Group applies a standardised victim counting method. Attacks against chains, networks or holding structures are counted as a single incident unless distinct disclosures exist. A single supplier compromise that cascades to many downstream organisations is likewise counted as one incident in the threat-actor and period analysis, while the affected downstream organisations are documented separately in the third-party analysis. Each incident is assigned to a period by its date of public disclosure.
5. Third-Party Methodology
The third-party analysis follows two tracks. The first covers European organisations drawn into an incident through a vendor rather than through their own systems. The second covers European-headquartered suppliers that were themselves the origin point of a breach, regardless of where their customers were located. Where a single supplier event reached many organisations, the report documents the named organisations that surfaced in its sources, which is a subset of the full reach rather than the total. The Miljödata case is the clearest example: 34 organisations are documented by name, a subset of a much larger affected population.
6. Risk Metrics
Two Black Kite measures appear in the report at the level of individual cases. The Cyber Rating runs from 1 to 100 across 20 risk categories and is also expressed as a letter grade: A (excellent) 90 to 100, B (good) 80 to 89, C (fair) 70 to 79, D (poor) 60 to 69, and F (failing) 0 to 59. The Ransomware Susceptibility Index® (RSI™) runs from 0.0 to 1.0 and estimates the likelihood that an organisation will face a ransomware attack. These metrics are used to describe specific named vendors and incidents. Aggregate score distributions for breached organisations are not published, since a marginal distribution invites the misreading that a high rating failed to anticipate a breach.
7. Limitations
The report reflects only publicly disclosed incidents and observable vendor risk indicators. Many breaches, particularly those involving smaller organisations or resolved discreetly, go unreported. The documented downstream victims of a supplier event are a subset of the true total. Taken together, the findings represent a conservative lower bound of systemic third-party risk exposure across Europe.