ZIUR Detected Nearly 2,000 ransomware Incidents in the Fourth Quarter of 2025
The manufacturing, technology, healthcare, consumer services, and construction sectors were the main targets of ransomware attacks, which increased by 14.62 % during this period
ZIUR, the Cybersecurity Center belonging to the Provincial Council of Gipuzkoa, warns of a significant increase in ransomware. During the fourth quarter of 2025, 1,951 incidents were recorded, representing a 14.62 % increase compared to the previous quarter. The most affected sectors were manufacturing, technology, healthcare, consumer services, and construction, a trend that remains stable both globally and in Spain, according to the latest Cyber Intelligence report prepared by ZIUR.
In Spain, 33 ransomware incidents were confirmed, compared to 24 in the previous quarter. Sectors such as transportation and tourism stand out, showing a greater relative impact than in the international context, especially due to their dependence on complex supply chains.
“Ransomware continues to be one of the main threats to industry, with sustained activity and increasing diversification of actors,” Penilla points out. “The pressure on supply chain-intensive sectors demonstrates that cybersecurity can no longer be addressed in isolation.”
Furthermore, Spain remains among the ten countries most affected by hacktivist attacks worldwide, ranking fourth, although no organized campaign specifically targeting the country has been detected.
Over the past year, Spain's entry and exit from this list was constant. In the third quarter, the country once again appeared in the top positions after suffering an operation carried out by multiple hacktivist groups dubbed #OpMortadelos. In the fourth quarter, it remained in the top positions of the ranking, although no specific campaign was detected.
Analysis by the Gipuzkoa Industrial Cybersecurity Center (ZIUR) indicates that 3,663 successful distributed denial-of-service (DDoS) attacks were recorded globally during this period, with Ukraine, Denmark, and Italy as the main targets. Spain's inclusion in this ranking is due to greater exposure of internet-accessible services and infrastructure, and not to a specific strategic interest on the part of hacktivist groups.
"Unsophisticated" Attacks
"Spain's appearance among the most attacked countries does not imply a coordinated offensive against the country, but rather reflects a context of high hacktivist activity and technical opportunities arising from insecure configurations," explains María Penilla, director of ZIUR. "These are generally unsophisticated attacks, but with a potentially significant impact if they affect critical services."
As in previous quarters, the government and energy sectors have been the most affected in Europe, in line with the ideological and visibility motivations that characterize hacktivism. ZIUR highlights that these groups typically access exposed industrial environments through basic practices, such as using default credentials or insecure configurations, thus underscoring the importance of strengthening digital hygiene measures.
The report also commends the swift joint action of law enforcement and platforms like Telegram, which has allowed for the closure of most hacktivist channels in less than 24 hours, hindering the identification of targets and the coordination of attacks.
Data Leaks and Persistent Risk
During the last quarter, 34 suspected data breaches related to Spanish organizations and institutions were detected, a lower figure than in the previous period, although with an increase in leaks directly affecting citizens. The insurance and energy sectors remain priority targets, with patterns pointing to organized campaigns to steal and sell sensitive information.
ZIUR concludes that the current scenario demands strengthening the protection of exposed industrial environments, improving monitoring, and adopting a preventative approach, especially in critical sectors. “The key is not just to react, but to anticipate,” Penilla emphasizes. “Industrial resilience involves combining technology, processes, and awareness in an increasingly dynamic threat environment.”
Read the report here: https://www.ziur.eus/es/-/informe-de-ciberinteligencia-industrial-del-cuarto-trimestre-de-2025