A new joint report released this week by Northwave Cyber Security and Marsh, a division of Marsh McLennan, warns that ransomware attacks targeting small and medium-sized businesses have sharply increased, creating serious geopolitical, economic, and national security concerns. Northwave Cyber Security, a leading European cyber resilience firm, and Marsh, one of the world’s largest insurance brokers and risk advisers, analyzed thousands of cyber incidents across Europe and Israel to reveal how ransomware threats are turning into a structured global industry. 

The report finds that many ransomware operators, often linked to Russia, Iran, North Korea, and China, have intensified their attacks on small and mid-sized businesses that form the backbone of Western economies. Instead of focusing only on large corporations or government agencies, these groups are increasingly targeting vulnerable firms in sectors such as IT services, retail, logistics, and construction. 

Peter Teishev, head of the Special Risks Department at Marsh Israel, said the threat landscape has changed significantly. “As ransomware attacks become more sophisticated and decentralized, organizations must shift from responding after incidents to building proactive defense strategies,” he explained. 

He added that Israel has faced particularly high levels of cyberattacks over the past two years, making preparedness a national priority. The report estimates that global ransom payments reached nearly €700 million in 2024, with the average ransom demand standing at €172,000, which equals about 2 percent of a company’s annual revenue. 

In Europe, ransomware incidents increased by 34 percent in the first half of 2025 compared with the same period in 2024. Northwave and Marsh attribute this rapid growth to the rise of Ransomware-as-a-Service (RaaS) models, which allow criminal groups to rent out their hacking tools to others, turning ransomware into a profitable business. 

When authorities disrupt such groups, they often split and rebrand, continuing their activities under new identities. Recent attacks in Israel highlight the geopolitical aspects of ransomware. The Israel National Cyber Directorate (INCD) recently warned of a wave of intrusions against IT service providers, likely linked to Iran. 

One major incident targeted Shamir Medical Center in Tzrifin, where hackers leaked sensitive patient emails. Although an Eastern European ransomware group initially claimed responsibility, Israeli investigators later traced the attack to Iranian actors. 

Cyber experts say this collaboration between state-sponsored hackers and criminal groups shows how ransomware is now used as a tool of hybrid warfare to disrupt healthcare, energy, and transport systems for political purposes. 

The report also discusses divisions among hacker networks following Russia’s invasion of Ukraine. Some ransomware groups sided with Moscow and joined state-backed operations against NATO and EU countries. Others opposed this alignment, which led to the breakup of the infamous Conti Group. 

The exposure of more than 60,000 internal chat logs in what became known as ContiLeaks revealed the internal workings of the ransomware industry and forced several groups to reorganize under new names. Even with these internal divisions, ransomware operations have become more competitive and unpredictable. 

According to Marsh and Northwave, this has made it harder to anticipate their next moves. At the same time, cyber insurance prices fell globally by about 12 percent in the last quarter, making protection more accessible for many organizations. 

The report concludes that ransomware is no longer only a criminal enterprise but also an instrument of global power politics that can undermine economic stability and national security. As Teishev summarized, “The threat is growing, but so is the ability to prepare. The next phase of cybersecurity will focus not on recovery but on resilience.”