Decrease in Ransomware Attacks in France Amid Evolving Cyber Threat Landscape
The French Cybersecurity Agency (ANSSI) has reported a notable decline in ransomware attacks for the year 2025, attributing this reduction to effective law enforcement initiatives. The agency’s annual threat report, published on March 11, provides an in-depth analysis of the cyber threats encountered by both public and private organizations across France during the year.
According to the data compiled by ANSSI, the nation experienced 128 ransomware incidents in 2025. This figure represents a drop from the 141 attacks recorded the previous year, illustrating a slight, yet significant, downturn in these cyber threats. Despite this reduction, the agency emphasized that ransomware continues to pose a considerable risk, accounting for a substantial portion of overall cybercriminal activities.
While the decrease in ransomware attacks is encouraging, the report also pointed out an alarming rise in encryption-less cyber extortion incidents. Although these types of attacks were reported by partnering security vendors as increasing in frequency, ANSSI’s data indicated that such occurrences remained limited in 2025.
The report highlights that small and medium-sized businesses (SMBs) are still the primary targets of ransomware attacks. However, it also noted a discernible shift, as public health institutions and educational organizations witnessed the most significant year-over-year increases in ransomware incidents. This pivot underscores the evolving threat landscape where traditionally safer sectors are increasingly vulnerable.
ANSSI identified several ransomware strains that were particularly prevalent this year: Qilin (accounting for 21% of attacks), Akira (9%), and LockBit 3.0/LockBit Black (5%). Notably, 2025 marked the first detection of more than a dozen additional ransomware strains, including Nova, Warlock, and Sinobi, highlighting a diverse and shifting ransomware ecosystem.
The agency assessed that the decrease in ransomware attacks could be partially attributed to successful preventive measures taken by cyber defenders, particularly those from ANSSI, combined with large-scale law enforcement operations aimed at dismantling cybercriminal networks. One such operation, dubbed Operation Endgame, was particularly impactful. It disrupted significant portions of the ransomware landscape, effectively undermining the trust and operational capacity within cybercriminal environments.
Additionally, the report indicates that ANSSI handled a total of 3,586 cyber alerts in 2025, which signifies an 18% decline compared to the previous year. This decrease can be partially explained by a surge in alerts during the 2024 Paris Olympic and Paralympic Games, suggesting that exceptional events can lead to spikes in cyber activity. Out of these alerts, 1,366 were confirmed incidents involving malicious actors, a figure that aligns closely with the previous year’s report.
However, the report also indicated an increase in data exfiltration incidents, with 460 events flagged as potential data leaks in 2025. Of these, approximately 42% were verified as genuine compromises, while the remainder either involved false claims or involved recycled data from previous breaches, underlining the need for skepticism when evaluating claims of data theft.
Another positive trend highlighted by ANSSI was a significant reduction in distributed denial-of-service (DDoS) attacks targeting French organizations in 2025. This decline not only benefits organizations directly but also reflects the effectiveness of the strategies employed to counter such attacks.
The report further emphasized the growing complexities in attributing cyber incidents to particular actors. ANSSI noted a blending between nation-state attackers and cybercriminals, where both groups increasingly share tactics and capabilities. This convergence complicates attribution efforts, with tasks being distributed among various actors, each specializing in different phases of a cyber attack.
Vincent Strubel, the director general of ANSSI, reflected on the concerning instances of cyber-attacks on the Polish electrical infrastructure at the end of 2025, describing them as indicative of a "feared scenario" for which France was preparing. He underscored the centrality of cyber-attacks in future hybrid assaults against critical infrastructure, predicting that by 2030, such actions would escalate significantly.
In closing, Strubel affirmed that France possesses the resources necessary to counteract these threats effectively, aiming to deter or at least complicate the efforts of those seeking to exploit its digital landscape. Thus, while the statistics surrounding ransomware present a cautious optimism, the reality of cyber threats remains complex and ever-evolving, necessitating ongoing vigilance and adaptation.