Cyber Attacks Against Bulgarian Companies — Statistics & Trends 2025/2026

Cybercrime is no longer just a problem for banks and government institutions.

Small and medium-sized companies are among the primary targets — precisely because they hold valuable data but rarely have adequate defences. Here's what the 2025/2026 figures show, and what they mean for your business.

Note: The data in this article is based on publicly available reports from Europol, ENISA (the EU Agency for Cybersecurity), Verizon DBIR, and CERT Bulgaria. Where indicated, figures are pan-European or global, since national statistics for Bulgaria are not always publicly available.

Key Numbers for 2025

Why Are Smaller Companies a Preferred Target?

Cybercriminal logic is simple: attacking a large corporation requires significant resources and skills. SMBs offer an easier target with real value:

• Customer data, contracts, and financial information — valuable for sale or extortion
• Weaker defences — no dedicated security team, outdated equipment, no MFA
• Less likely to detect an attack quickly
• Ability to pay — enough money for ransomware, but not enough for protection

An additional factor in Bulgaria and Eastern Europe: the growing use of regional companies as an "entry point" for attacks against larger partners and clients in Western Europe.

Top 5 Types of Cyberattacks Against SMBs in Bulgaria

1. Ransomware — Encryption for Ransom

Ransomware is the most destructive form of attack for small businesses. Malicious software encrypts all files on infected devices and networks. The victim receives a message demanding ransom (usually in cryptocurrency) in exchange for a decryption key.

• Average ransom for SMBs: €10,000–€50,000
• Even when the ransom is paid — only 65% of companies recover all their data (Sophos, 2024)
• Average downtime per ransomware incident: 22 days
• Main vectors: phishing email, vulnerable RDP access, compromised credentials

2. Phishing and Business Email Compromise (BEC)

Phishing is an email (or SMS/message) impersonating a legitimate sender — a bank, partner, or colleague — designed to trick the recipient into giving up a password, clicking a malicious link, or transferring money.

Business Email Compromise (BEC) is a more advanced form: the attacker compromises or impersonates a corporate email account and sends fake payment instructions. It's the leading cause of financial losses from cyberattacks in the EU.

• Average loss per BEC incident in Europe: €62,000 (Europol, 2024)
• In Bulgaria, fake payment instructions sent to accountants and finance directors have been recorded
• Defence: MFA on every email account + payment verification through a separate channel

3. RDP and Remote Access Attacks

Remote Desktop Protocol (RDP) allows remote access to computers and servers. When misconfigured (default port, weak passwords, no MFA), it becomes a primary entry point for attackers.

• RDP attacks rose by 37% after the mass shift to remote work (ENISA)
• Attackers scan the internet for vulnerable RDP ports automatically — 24/7
• Main risks: brute-forcing passwords, exploiting vulnerabilities in older Windows Server versions

4. Supply Chain Attacks

In a supply chain attack, the target isn't your company directly — it's a software or service provider you trust. When the provider is compromised, attackers gain access to all of its clients.

• The SolarWinds attack (2020) affected thousands of organisations worldwide through a single compromised update
• A growing risk for companies using cloud-based accounting or ERP software
• Defence: vendor vetting, principle of least privilege, network traffic monitoring

5. Credential Stuffing and Account Compromise

Attackers use lists of leaked usernames and passwords (from previous breaches) and test them automatically against various services. With password reuse — a single leaked account from another service is all it takes.

• 23 billion stolen credentials are available on the dark web (SpyCloud, 2024)
• Solution: MFA on every system + a password manager + a ban on password reuse

Most At-Risk Sectors in Bulgaria

Based on European data and BGService's practical experience, the following sectors are among the most affected in Bulgaria:

How Much Does a Cyber Incident Cost a Small Company?

When companies think about the costs of a cyberattack, they typically only see the direct ones. The real cost is significantly higher:

• Direct costs: ransom, IT recovery, equipment replacement
• Downtime: in an average 20-employee company — 20 working days × 20 people = 400 person-days of lost productivity
• GDPR penalties: in case of personal data leakage — up to 4% of annual turnover or €20 million
• Reputational damage: loss of customers, broken trust
• Legal costs: notifications to those affected, communication with the data protection authority
• Insurance: if you don't have cyber insurance — everything comes out of your pocket

The average total cost of an incident for SMBs in Europe is estimated at €35,000–€150,000 once all direct and indirect costs are included.

Trends for 2026 — What's Coming Next

AI-Powered Attacks

Attackers are using AI to generate convincing phishing emails in the local language, deepfake voice messages for BEC attacks, and automated vulnerability scanning. The barrier to launching a sophisticated attack has dropped significantly.

Ransomware-as-a-Service (RaaS)

Ransomware is now offered as a service on the dark web — no technical skills required. That means more attackers, a lower barrier to entry, and a growing number of incidents against SMBs.

Attacks on Cloud Services

With the mass shift to Microsoft 365 and Google Workspace, attackers are focusing on compromising cloud accounts — especially where MFA is missing.

GDPR Enforcement in Bulgaria

The Bulgarian data protection authority (CPDP) is stepping up oversight and penalties. A data breach without adequate technical measures carries real regulatory risk.

How to Protect Your Company — Priority Checklist

Based on real-world experience working with SMBs in Bulgaria, these measures provide the strongest protection at an optimal cost:

1. Enable MFA on every system — email, VPN, admin accounts. This blocks over 99% of automated attacks.
2. Maintain regular, tested backups — offsite or in the cloud. Test actual recovery at least once a year.
3. Train employees against phishing — simulated phishing tests are the most effective way to reduce risk.
4. Keep systems updated — unpatched Windows and servers are a primary entry point.
5. Restrict RDP access — if you have remote access, it should sit behind a VPN with MFA.
6. Run a Security Health Check — know what you have before attackers find it.

What Does BGS Do to Protect Its Clients?

BGS applies a multi-layered approach to cybersecurity for the clients it manages:

• Proactive monitoring 24/7 — detecting anomalies before they turn into incidents
• Patch management — automated OS and application updates within a managed window
• Endpoint protection — managed antivirus and anti-malware on every device
• MFA rollout and management — across Microsoft 365, VPN, and critical systems
• Security Health Check — annual vulnerability audit
• Incident response — when an attack occurs, we follow a pre-built plan

Don't wait for an incident to find out how well your company is protected. Get in touch with BGS for a Security Health Check and risk assessment.