Ransomware trends Q2 2025: key insights and how Dutch sectors are affected
In the second quarter of 2025, ransomware attacks have once again shown their disruptive force. According to several ransomware monitoring sites, six Dutch organizations were publicly listed as victims on leakpages from several different ransomware groups. Based on the data from these sites, this is a decrease of three companies compared to the same period last year. Please note that these are publicly listed victims, which means the total number of Dutch companies that were hit is most certain more than six.
Most notably, the hack on Ahold Delhaize stood out due to the high-profile nature of the company and its critical role in the Dutch retail landscape. The attack resulted in operational disruptions and sparked public concern about the vulnerability of essential supply chains.
Most Targeted Sectors
The Technology sector as well as the retail/consumer services sector were the most targeted, with 4 of the 6 incidents affecting these organizations. These organizations often act as critical enablers for other sectors, making them attractive targets for attackers seeking broader downstream impact.
The Construction sector was also hit, underlining the fact that ransomware is no longer limited to digital-native organizations. With increasing digitization and reliance on project management software, companies in this sector have become more vulnerable to cyber threats.
Some of the companies that were hit not only experienced downtime, but also had their data exposed, possibly resulting in financial losses and reputation damage.
Ransomware Groups
The ransomware group Incransom was observed in 2 of the incidents, making it the most active group in the Netherlands in Q2 2025. Incransom has built a reputation for double extortion tactics, in which data is both encrypted and exfiltrated, with victims facing the threat of public exposure on leak sites if they fail to pay. The group is known for targeting mid- to large-sized enterprises across Europe, and recent indicators suggest they may be refining their initial access methods to exploit managed service providers (MSPs).
The remaining incidents were carried out by a variety of other groups, each responsible for a single attack. This fragmentation highlights the growing diversity of actors in the ransomware ecosystem, with both established and emerging groups launching opportunistic or highly targeted campaigns.
How to Defend Against Ransomware
Organizations can reduce the likelihood and impact of ransomware incidents through a multi-layered security approach.
Key measures include:
- Multi-Factor Authentication (MFA): Enforce MFA across all remote access points, admin portals, and critical systems.
- Patch Management: Apply security updates regularly—especially for internet-facing services, VPNs, and known exploited vulnerabilities.
- Least Privilege Access: Restrict user rights to the minimum required for their role, and monitor privileged account activity.
- Backup Strategy: Ensure regular, automated backups are made and tested. Store backups offline or use immutable storage to prevent tampering.
- Creating Awareness: Employees are often the first and last line of defense. Make sure that they can recognize incidents, social engineering attempts and are up-to-date on the company’s policies and procedures.
- Incident Response Readiness: Maintain and rehearse a robust incident response plan. Identify roles, responsibilities, and external contacts in advance.
Regular security assessments and employee awareness training can further strengthen an organization's overall resilience.
How DataExpert Can Help
At DataExpert, we support organizations in preventing, detecting, and responding to ransomware threats.
Our services include:
- Security Operations Center (SOC) monitoring and threat detection
- Managed Security Awareness Training to help your staff recognize and respond to phishing attempts and other attack vectors
- Incident Response support to help contain, investigate, and recover from active attacks
If your organization is looking to strengthen its cybersecurity posture or needs assistance following a ransomware incident, our experts are ready to help.