THE French Cybersecurity Agency (ANSSI) reports a decline in known ransomware attacks in 2025, with 128 attacks recorded in France, down from 141 in 2024, according to ANSSI. The agency notes that ransomware remains a significant threat and accounts for a substantial share of cybercriminal activity, while warnings about encryption-less extortion have been limited.
SMBs continue to be the most targeted, though healthcare and education sectors saw the biggest year-over-year rise, and the most common strains observed in 2025 were Qilin (21%), Akira (9%) and LockBit 3.0/LockBit Black (5%), with more than a dozen other strains, including Nova, Warlock and Sinobi, appearing for the first time in at least one incident.
ANSSI assessed that the drop is partly due to preventive action by cyber defenders and large-scale law enforcement operations, notably Operation Endgame, which disrupted a large part of the ransomware landscape. In 2025, ANSSI logged 3586 cyber alerts requiring agency support, a drop of 18% from 2024, of which 1366 incidents involved a confirmed malicious actor.
The report also highlights a rise in data exfiltration incidents and notes a significant drop in distributed denial-of-service attacks, while emphasising the growing fog of attribution as nation-state groups and cybercriminals share capabilities.