Throughout May 2025, the Government sector faced a heightened threat landscape, driven in large part by determined ransomware operators targeting public institutions across several European countries. Drawing on intelligence obtained from ransomware.live between 1 May 2025 and 31 May 2025, and corroborated by reports from Mandiant (Google Cloud) (15 May 2025), OTX (19 May 2025) and IBM X-Force Exchange (24 May 2025), three major breaches emerged in the Government sector within this four-week period. Each incident highlights diverse adversarial tactics, the exploitation of unpatched vulnerabilities and the importance of robust threat monitoring.
On 2 May 2025, a mid-sized city council in the United Kingdom reported a ransomware intrusion attributed to the LockBit group. According to the initial advisory posted on ransomware.live, the attackers leveraged stolen administrative credentials to bypass perimeter defences. Mandiant’s supplemental alert on 15 May 2025 confirmed that the threat actors exploited a known server-side vulnerability—patched earlier in the year yet still prevalent among unpatched public-facing systems—to gain initial access. Although the impacted municipality restored services after a four-day outage, the incident underscored the ongoing vulnerability of governmental IT infrastructures to credential compromises and incomplete patching.
In Germany, a regional governmental department encountered a significant attack on 11 May 2025, subsequently attributed to the BlackCat (ALPHV) ransomware group. IBM X-Force Exchange (24 May 2025) verified that BlackCat operators used a standard phishing campaign to trick employees into enabling macros within malicious spreadsheet attachments. Investigators discovered macros containing remote scripts designed to execute privileged commands and install the ransomware payload. Preliminary analysis points to an unpatched software dependency within the department’s legacy document management platform, enabling lateral movement. While the department’s data backup architecture mitigated immediate damage, the attack exposed the risks of outdated software and insecure email handling procedures.
The final major Government breach reported by ransomware.live occurred on 25 May 2025, when threat actors infiltrated a European Ministry of Transport’s administrative network. CrowdStrike Falcon OverWatch (27 May 2025) attributed the campaign to a suspected offshoot of the Carbanak threat group, leveraging advanced phishing tactics and exploiting an unpatched vulnerability in a custom-built reporting system. While it has not yet been assigned a formal CVE number, the Ministry’s incident response team identified multiple attempts to deploy a privilege escalation exploit linked to CVE-2024-5535, a known weakness in certain administrative modules. Fortunately, swift containment measures confined the compromise to a limited subset of endpoints.
From these cases, several core lessons emerge. Firstly, the repeated exploitation of unpatched vulnerabilities highlights the importance of continuous patching, rigorous asset management and routine security assessments. Secondly, incidents involving phishing campaigns re-emphasise the ongoing need for comprehensive staff training that helps employees recognise and report suspicious emails. Thirdly, consistent offline backups and clear incident response playbooks strongly influence recovery times, particularly in high-stakes Government environments where service continuity remains paramount. Finally, cross-departmental collaboration and intelligence sharing—reflecting guidance from the UK’s National Cyber Security Centre—offer a critical advantage in detecting attack patterns at an early stage.
Expanding the review to encompass all publicly disclosed ransomware-related breaches (regardless of sector) in the United Kingdom and Europe from 1 May 2025 through 31 May 2025, ransomware.live and corroborating sources from Recorded Future (20 May 2025) record at least thirteen confirmed incidents. These attacks targeted not only Government entities but also large healthcare providers, multinational manufacturers and financial services firms—broadly indicating that criminal operators remain motivated to disrupt critical services and reputable brands. The infiltration strategies varied, with at least half involving phishing vectors and the remainder linked to direct exploitation of outdated software libraries. While ransom demands notably escalated, both Government and private-sector breach notifications showed that victim organisations increasingly refused payment, targeting faster recovery through structured response programmes and updated backups.
In conclusion, the May 2025 threat environment underscores the evolving determination of ransomware groups to compromise large, complex entities, regardless of region or sector. Government organisations in particular face a mix of credential harvesting, spear phishing attempts and opportunistic vulnerability exploits. Where adversaries—such as LockBit, BlackCat and Carbanak offshoot groups—demonstrate advanced techniques, they often combine social engineering with precise knowledge of unpatched systems and privileged accounts. Strategic preparation, underpinned by timely patching, extensive user education and more rigorous incident detection, therefore remains vital. Moreover, the collective intelligence gathered across the UK and Europe stresses the importance of collaboration between governmental and private institutions to foster early-warning capabilities, share indicators of compromise and strengthen response efforts at scale. Investing in such shared grassroots resilience offers the clearest path to countering the evolving ransomware threat and safeguarding critical public services.
For additional insights, including detailed analysis of the threat groups mentioned in this report, please visit our dedicated pages within our Threat Intelligence Hub on Cyber Defence. Our latest updates also outline best practices for network segmentation, access logging and third-party risk governance—fundamental measures that help Government and other large organisations withstand the continued onslaught of ransomware and targeted cyber intrusions.
