1. Overview
An estimated 92 ransomware incidents occurred in the Netherlands between January and December 2025 (ref: Project Melissa Report). While this represents a slight decrease compared to 2024, the NCSC estimates that only approximately 40% of incidents affecting large organizations and 10–15% of those affecting SMEs are captured in available data sources. The actual number of attacks is therefore estimated to be 2–3 times higher for large and mid-sized organizations, and up to 10 times higher for small businesses.2.Methods of Intrusion
The two dominant initial access vectors in 2025 were account take-over (55%) and exploitation of vulnerabilities (30%). Notably, the proportion of incidents initiated via account take-over increased compared to 2024, reflecting a continued shift in attacker tradecraft. Account take-overs are typically the result of stolen credentials. Key techniques used to obtain credentials include:- Infostealer malware
- Phishing attacks
- Adversary-in-the-Middle (AitM) attacks
No statistically significant correlation was identified between the initial access method used and the specific ransomware variant subsequently deployed.
3. Affected Sectors
The most heavily impacted sectors in 2025 were Trade (18%) and ICT (18%), followed by Construction (12%). ICT, which topped the rankings in 2024, has fallen from first place, reflecting the year-on-year variability in sector-specific targeting. No consistent correlation between sectors across years was observed. Sudden spikes in attacks against a specific sector are typically driven by the discovery of critical vulnerabilities in widely-used technology within that sector.43% of affected organizations required more than 3 days to recover, and 15% took more than one week to fully restore operations.
4. Evolution of Extortion Methods
In 2025, double extortion — the combination of data encryption and data theft — remained the dominant attack pattern, observed in 42.5% of incidents. Data theft without encryption, where threat actors threaten to publish or sell stolen data, accounted for 37.5% of cases — a notable share, likely reflecting attempts to evade detection by bypassing the encryption step entirely. Encryption-only incidents declined to just 5%.| Methods | Share (2025) |
| Data theft only (no encryption) | 42.5% |
| Double extortion (encryption + data theft) | 37.5% |
| Encryption only | 5% |
| Unknown | 15% |
5. Recovery Statistics
While 72% of victims had usable backups, many still experienced extended recovery times — demonstrating that backup availability alone does not guarantee rapid restoration. Cyber insurance penetration stood at 41%, and only 33% of victims filed a police report, indicating that underreporting remains a significant concern.| Metric | Value |
| Had usable backup | 72% |
| Insured | 41% |
| Filed police report | 33% |
| Recovery time > 3 days | 43% |
| Recovery time > 1 week | 15% |
6. Key Ransomware Families
A total of 39 unique ransomware families were identified in the Netherlands in 2025. More than half of all incidents were attributed to one of the five most prevalent families, indicating a high degree of concentration among active threat groups. The most active families were Akira, Qilin, PLAY, INCransom, and various LockBit variants. RansomHub, which was responsible for a large share of incidents in 2024, saw a sharp decline in activity — with detections limited to Q1 2025 only. This reflects the fluid nature of the ransomware ecosystem, where groups frequently disband, rebrand, or shift affiliations.| Rank | Family | Notes |
| 1 | Akira | Most active in 2025 |
| 2 | Qilin | Rapidly emerging threat |
| 3 | PLAY | Continued activity |
| 4 | INCransom | Emerging threat |
| 5 | LockBit (various variants) | Fragmented across variants |
| - | RansomHub | Sharp drop after Q1 2025 |
7. Recommended Actions
Technical Measures
- Deploy multi-factor authentication (MFA) across all systems and user accounts organization-wide
- Establish a rapid patching process for internet-facing edge devices (VPN appliances, firewalls, etc.)
- Implement Data Loss Prevention (DLP) solutions and classify sensitive data assets
- Strengthen network segmentation to limit lateral movement in the event of a breach
- Regularly test backup integrity and ensure offline and off-site backup storage
- Enforce access control governance based on the principle of least privilege
Organizational Measures
- Conduct annual reviews and tabletop exercises for incident response plans
- Assess supply chain risk and enforce security requirements for key third-party partners
- Maintain ongoing employee awareness training focused on phishing and infostealer threats
Contact | ID Europe B.V. (idnet.co.jp)
