France: National Cybersecurity Agency Reports Ransomware Attack Drop in 2025

France’s latest ANSSI threat report illustrates how a blend of technical hardening and high‑profile police operations can produce measurable drops in ransomware activity. Operation Endgame, a coordinated crackdown on ransomware operators, disrupted command‑and‑control servers and financial pipelines, directly contributing to the 9% decline in reported incidents. This outcome reinforces the value of public‑private partnerships, where intelligence sharing accelerates takedowns and deters criminal groups from targeting French entities.

Despite the overall decrease, the report highlights a shifting attack surface. Small and medium‑size businesses remain the most frequent victims, but healthcare and education institutions experienced the steepest growth, reflecting attackers’ appetite for high‑value data and disruption potential. The emergence of previously unseen strains—Nova, Warlock, and Sinobi—signals that ransomware developers continue to innovate, often borrowing code from established families to evade detection. Organizations should therefore augment traditional signature‑based defenses with behavior‑analytics and threat‑intel feeds that capture these novel variants.

A more nuanced challenge emerges from the blurring lines between nation‑state actors and cybercriminals. Shared tools and joint operations complicate attribution, raising the specter of hybrid attacks that combine espionage, sabotage, and ransomware extortion. ANSSI’s warning about a potential surge in such blended threats by 2030 urges French firms to adopt a holistic security posture, integrating incident‑response planning, supply‑chain risk management, and resilience testing. Proactive investment now can mitigate the amplified impact of future multi‑vector campaigns.