Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)

annual-report · annual-report:gtig-europe-2025

Coverage timeline

first 2026-05-07 → last 2026-05-10

Briefs

2 distinct

Sources cited

11 hosts

Sections touched

ch-eu, weekly_annual_reports

Co-occurring entities

see Related entities below

2026-05-072 appearances2026-05-10

Story timeline

2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
weekly_annual_reportsConsolidated in weekly summary for week 2026-W19; cross-finding with The Gentlemen / Q1 2026 ransomware quarterly synthesis.
2026-05-07CTI Daily Brief — 2026-05-07
ch-euFirst coverage (logged retrospectively in weekly). GTIG Europe data-leak landscape published 2026-04-15. Germany dominant European ransomware target 2025. SAFEPAY 25% of German posts (76 victims). Qilin tripled Q3 2025 tempo. Sarcoma recruiting German access since Nov 2024. 96% of German victims <5,000 employees. Legal/professional services 14%.

Where this entity is cited

ch-eu1
weekly_annual_reports1

Source distribution

cloud.google.com2 (17%)
cert.ssi.gouv.fr1 (8%)
enisa.europa.eu1 (8%)
heise.de1 (8%)
herodevs.com1 (8%)
ip.network1 (8%)
malwarebytes.com1 (8%)
pushsecurity.com1 (8%)
other3 (25%)

Related entities

Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
incidentincident:die-linke-qilin-2026×1

All cited sources (12)

Items in briefs about Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees) (1)

Google Threat Intelligence Group — Europe data-leak landscape 2025

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

GTIG's Europe data-leak landscape analysis (published 2026-04-15, first covered 2026-05-07) is the second-tier annual reference that materially affects DACH defender posture and merits cross-week synthesis: Germany is the primary European ransomware target with SAFEPAY accounting for 25% of German data-leak-site posts (76 victims claimed in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims posted by early 2026 (Die Linke this week confirms continued activity into 2026-W19), and Sarcoma actively recruiting German network access via criminal forums since November 2024. 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors; legal and professional services rose to 14% of victims — explicitly relevant to Swiss / EU public-sector procurement officers since those firms hold client IP and M&A intelligence. GTIG attributes part of the shift to AI-enabled high-quality localisation eroding the language-barrier protection that historically benefited non-English-speaking markets (daily 2026-05-07).