ENISA Threat Landscape 2025: Rising ransomware, AI phishing, and state-backed espionage mark a converging, persistent EU cyber threat landscape.ENISA Threat Landscape 2025 report provides a comprehensive analysis of the evolving threat landscape in Europe. The report analyzes the events that occurred between July 2024 and June 2025, including nearly 4,900 verified incidents. This year’s edition combines technical depth with strategic insights. The report emphasizes how the threat landscape is maturing, characterized by the rapid exploitation of vulnerabilities, the professionalization of cybercrime, and the increasing convergence between criminal, state-aligned, and hacktivist operations.“In parallel, hacktivist tooling and criminal ecosystems increasingly intersect. FunkSec’s emergence in late 2024 brought FunkLocker ransomware, blending political messaging with financial extortion, underscoring how quickly ideology-driven branding can pivot to monetisation.” reads the report. “Hacktivists, seeking funding and visibility, embraced ransomware beyond DDoS and defacements. CyberVolk, operating in line with Russian interests, has used and promoted multiple strains—AzzaSec, HexaLocker, Parano, as well as LockBit and Chaos—since May 2024. KillSec, originally a pro-Russia hacktivist brand aligned with Anonymous, debuted its platform in June 2024.”Ransomware continues to be one of the most dangerous threats, it represents the most disruptive and economically damaging activity across the EU. ENISA notes that ransomware groups have decentralized operations following major law enforcement actions, adopting aggressive double- and triple-extortion tactics and exploiting regulatory compliance fears to pressure victims. The growth of Ransomware-as-a-Service (RaaS), public leaks of builder tools, and the rise of access brokers have dramatically lowered barriers to entry, fostering a diverse and resilient criminal marketplace.State-sponsored and state-aligned actors have simultaneously escalated long-term cyber-espionage campaigns, particularly targeting telecommunications, logistics networks, and manufacturing sectors within the EU. These operations showcase advanced tradecraft, including supply-chain compromises, modular malware, and abuse of signed drivers to maintain persistence and evade detection.A striking element of the report is the dominance of hacktivist operations, which account for almost 80% of all recorded incidents. These are primarily low-impact Distributed Denial-of-Service (DDoS) campaigns motivated by ideology or geopolitics, often leveraging low-cost, easily available tools. While their direct impact remains limited, their scale demonstrates how cyber operations have become instruments of digital protest and influence.From a sectoral perspective, public administration remains the most frequently targeted (38% of cases), followed by transport, where maritime and logistics infrastructure have faced significant disruption from both ransomware and espionage campaigns. Aviation and freight operations also experienced incidents affecting continuity, while digital infrastructure and online services continue to attract attention from both ransomware operators and espionage actors.Phishing remains the primary intrusion vector (60%), evolving toward industrialized, subscription-based models such as Phishing-as-a-Service (PhaaS). These platforms enable even low-skilled adversaries to conduct sophisticated campaigns, leveraging AI-generated content, synthetic media, and automation. Meanwhile, vulnerability exploitation (21.3%) remains a cornerstone of initial access, with adversaries often weaponizing newly disclosed flaws within days. ENISA stresses the urgency of timely patching and robust cyber hygiene as key defense measures.A growing concern highlighted in the report is the role of Artificial Intelligence. By early 2025, AI-assisted phishing and social engineering accounted for over 80% of observed global activity in this category. Attackers are exploiting jailbroken AI models, synthetic voice and video content, and model poisoning to automate reconnaissance, impersonation, and influence operations, making detection and attribution increasingly difficult.“As a predictable trend, Large Language Models (LLMs) are leveraged to craft more convincing phishingemails; with reportedly over 80% of all phishing emails identified between September 2024 and February2025 using AI to some extent. AI is notably used in vishing and online fraud involving impersonation, with the use of deepfakes, as well as for malware development.” continues the report. “Threat groups were observed to be leveraging commercial LLMs to augment operations, as well as jailbroken or retrained (diverted) LLMs such as WormGPT, EscapeGPT and FraudGPT, to automate social engineering activities and accelerate the development of malicious tools.”Overall, the ENISA Threat Landscape 2025 describes a convergent and persistent threat environment, one where traditional distinctions between cybercrime, espionage, and hacktivism are increasingly blurred. Rather than single high-impact attacks, Europe now faces continuous, diversified, and overlapping campaigns that collectively erode resilience and trust.ENISA concludes by urging EU Member States and organizations to prioritize cross-sector collaboration, enhance situational awareness, and embed resilience through improved vulnerability management, threat intelligence sharing, and investment in cybersecurity capacity building. The report paints a clear picture: the European threat landscape is no longer defined by isolated incidents, but by a constant, adaptive pressure on digital infrastructure and society as a whole.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, ENISA Threat Landscape 2025)