Hacking attempts by ransomware attackers against small and medium-sized businesses have significantly increased with potential considerable geopolitical, economic, and national security implications, a joint report issued earlier this week by a major cyber firm and a prominent insurance broker company said.
Northwave Cyber Security is a premier European specialist that helps organizations strengthen resilience and respond effectively to cyber incidents.
Marsh, a business pertaining to Marsh McLennan with its own division in Israel, says it is a top insurance broker and risk adviser. Marsh McLennan is a global leader in risk, strategy, and people, advising clients in 130 countries across four businesses with annual revenue of over $24 billion and more than 90,000 colleagues.
Further, Marsh Israel says that it is among the Jewish state’s leading insurance brokers and risk advisers, adding that it helps its “clients dream bigger, reach further, and plan for the opportunities ahead.”
Ransomware attacks intensifying globally
According to findings by Marsh and Northwave Cyber Security, the increase in cyberattacks marks a strategic shift by ransomware attackers, now targeting the soft underbelly of Israeli and other Western economies.
With many of these hackers associated with rogue foreign countries, they are choosing this approach rather than limiting their attacks to larger corporations and government entities, the report pointed out.
Russia, Iran, North Korea, and China are often involved in paying or assigning ransomware hackers to attack Israel and Western states to achieve geopolitical aims, such as destabilizing those countries’ economies and weakening their national security resilience.
Peter Teishev, the head of the Special Risks Department at Marsh Israel, said, “As ransomware attacks continue to expand and become more sophisticated and decentralized, organizations are required to rethink how they manage risk.”
“For organizations, and especially in Israel, which has experienced exceptionally intense and frequent attacks over the past two years, this is a pivotal moment where the responsibility for protection shifts from post-incident response to proactive readiness,” he added.
The Marsh and Northwave report is based on thousands of cyber incidents handled across Europe, along with a broad analysis of attack data collected throughout the continent, and applies equally to the Israeli context.
According to global findings, in 2024, approximately €700 million in ransom payments were made worldwide, with the average ransom reaching €172,000 – about 2% of the victim organization’s annual revenue.
In Europe, the number of ransomware attacks rose by 34% in the first half of 2025 compared to the same period last year, the report said.
The most affected sectors, it noted, include IT services, retail, construction, and logistics, industries characterized by long supply chains and heavy reliance on cloud systems.
According to the report’s data, new business models such as Ransomware-as-a-Service (RaaS) have turned ransomware into a structured, highly profitable industry.
Even after authorities take enforcement measures, attack groups tend to split, rebrand, and resume operations, making it increasingly difficult to contain the phenomenon, the study found.
In many cases, these attacks also carry geopolitical motives, with threat actors targeting critical infrastructure such as healthcare, transportation, and energy, the report stated.
Just last week, the Israel National Cyber Directorate (INCD) said that a wave of cyberattacks targeting Israeli companies that provide IT services to businesses across the country, possibly connected to Iran, had been identified.
The overall unsuccessful hack targeting Tzrifin’s Shamir Medical Center on Yom Kippur earlier this month, which leaked emails containing sensitive patient information, was deemed by the directorate to be an Iranian attempt to disrupt the hospital’s functions.
Initially, a ransomware group from Eastern Europe claimed responsibility, posting an extortion demand with a 72-hour deadline. However, Israeli authorities later determined that Iranian actors orchestrated the operation.
Officials said the incident was linked to a larger campaign targeting Israeli companies and critical service providers in recent weeks.
More than 10 private firms have been hit by cyberattacks that often exploit vulnerabilities in digital service providers within their supply chains.
That incident of Iran using Eastern European ransomware attackers to damage Israel’s national security strategically strongly dovetailed with the latest findings of the Marsh and Northwave report.
Russia-aligned hackers
Another interesting finding it made was that Russia’s invasion of Ukraine initially triggered internal divisions among ransomware actors.
Some aligned with Russia and have been recruited into state-linked operations against critical infrastructure in EU and NATO countries, said the report.
Conversely, others opposed the politicization of the war between Russia and Ukraine, leading to a high-profile breakup involving the Conti Group, once a major ransomware player.
Following the group’s pro-Russia declaration, over 60,000 internal chat logs, source codes, manuals, and screenshots were published on a social media account in what became known as the ContiLeaks, according to the report.
However, the Russia-associated ransomware actors rebranded into several smaller units.
In this increasingly fragmented ecosystem, competition among ransomware groups has intensified, and some groups’ tactics have become more erratic, according to the Marsh and Northwave Cyber Security report.
In addition, it said, “With global cyber insurance prices dropping by about 12% in the last quarter, this combination creates a new reality – the threat is growing, but preparedness is
becoming more accessible.”
Jerusalem Post Staff contributed to this report.