Sanly Tech
DE / EN
Back to blog
· IT Security · 7 min · Sanly Tech

When the Printer Prints Ransom Notes: Why Cyberattacks Have Become an Existential Threat to German SMEs

RansomwareCyberattackSMEIT SecurityBitkomBSI

On the morning of May 19, 2025, the printers at Fasana GmbH in the Stotzheim district of Euskirchen stopped printing delivery notes — they printed extortion letters instead. A few hours later, the entire network was at a standstill. 190 desktops and laptops were encrypted, production came to a halt, not a single invoice could be sent. The company, which had been producing napkins since 1919 and counted among the most traditional paper manufacturers in Germany, filed for insolvency on June 1, 2025. The time between the attack and insolvency: less than two weeks. Around 240 jobs were suddenly on the line.

Fasana is not an isolated case. And that is precisely the disturbing message for every managing director of a German SME.

SMEs Are in the Crosshairs — and That Is No Cliché

The current Bitkom study “Wirtschaftsschutz 2025” paints a picture that should wake up even hardened IT leaders:

  • 87 percent of German businesses were affected by data theft, espionage, or sabotage in the past twelve months.
  • The total damage to the German economy amounts to EUR 289.2 billion, of which EUR 202.4 billion is attributable to cyberattacks alone.
  • 34 percent of companies were hit by ransomware — almost three times as many as in 2022.
  • 59 percent of businesses now consider cyberattacks an existential threat — up from less than 10 percent in 2022.

The situation report from Germany’s Federal Office for Information Security (BSI) adds a crucial point: of the 950 ransomware attacks recorded during the reporting period, around 80 percent targeted small and medium-sized enterprises. A Cisco study conducted in parallel found that only two percent of German SMEs qualify as “optimally prepared.”

Why SMEs in particular? The answer is uncomfortable but logical: SMEs often lack a dedicated IT security team, 24/7 monitoring, or red-team testing — yet they are embedded in the supply chains of large corporations. For attackers, they are the path of least resistance with comparatively attractive returns.

How the Attacks Unfold

The entry vectors have become more professional in recent years, but they have hardly changed:

Phishing and social engineering remain the number-one point of entry. A convincingly crafted email, a manipulated link, an attachment with a macro — a single careless click is enough. What is new: attackers increasingly rely on AI-generated deepfakes — fake calls in the style of the CEO, highly personalized spear-phishing emails based on LinkedIn data.

Ransomware has become the dominant threat. And it is no longer just encryption — around 72 percent of modern attacks now use what is called “double extortion”: the data is also copied and publication is threatened. Those who don’t pay suffer twice.

Supply-chain attacks are on the rise. Attackers compromise a supplier or service provider in order to gain access to the actual target organizations through that channel.

Exploitation of vulnerabilities remains a structural problem: according to the BSI, around 119 new security vulnerabilities in IT systems are disclosed every day — an increase of 24 percent compared to the previous year.

The Real Costs — and Why They Go Far Beyond the Ransom

Public attention often focuses on the ransom amount. That is understandable, but misleading. A typical ransomware attack on a mid-sized business produces the following cost blocks:

  • IT recovery and forensics: EUR 50,000 to 200,000
  • Legal counsel and crisis management: EUR 20,000 to 100,000
  • Ransom payment (if made): according to Bitkom, between EUR 100,000 and 500,000 in 34 percent of cases
  • Production downtime: at Fasana alone, orders worth over EUR 250,000 on the first day after the attack
  • GDPR notifications and potential fines
  • Customer attrition and reputational damage

Reputational damage alone is estimated to cost the German economy a double-digit billion-euro amount. And this is precisely the item that is so insidious: it doesn’t show up in any Excel sheet, but it surfaces in the months after the attack as lost tenders, departing new customers, and nervous investors.

Five Levels Where a Cyberattack Hurts

To understand the impact, you have to look beyond the pure IT perspective:

1. Operational standstill. Production halts, logistics goes blind, customer communication dies. Fasana employees reported that even the simplest tasks — like printing delivery notes — were impossible.

2. Liquidity crisis. Without working systems, there are no invoices, no incoming payments, no control over outstanding balances. Meanwhile, salaries, rent, and supplier invoices keep running. The path to insolvency is short.

3. Brand damage. “The company that got hacked” — that label sticks. B2B customers in particular, who depend on reliability and data security, draw their conclusions quickly.

4. Loss of trust with partners. Banks demand additional collateral, insurers review policies, major clients ask for audit reports. The entire risk position of the business is reassessed.

5. Existential threat. In the worst cases: insolvency.

There Is Now a Sobering List

Fasana is the most prominent case from 2025, but far from the only one. The list of German companies that had to file for insolvency after a cyberattack keeps growing:

  • Einhaus Group from Hamm — once Germany’s leading provider of electronics insurance with up to 170 employees. Attacked in March 2023 by the ransomware group “Royal.” The company reportedly paid around EUR 200,000 in ransom in Bitcoin. The sum was later seized as part of international investigations — but not returned to the company due to ongoing proceedings. Two years later, insolvency followed. The workforce shrank from 170 to eight.
  • Eu-Rec from Hermeskeil (Rhineland-Palatinate) — the recycling and waste management company discovered the attack at 7:12 AM on April 7, 2025, and had to file for insolvency shortly thereafter. Around 200 customer and business contacts had been leaked, the IT infrastructure severely damaged. The company had already been struggling with economic headwinds before the attack — the cyberattack became the final blow.
  • Other cases such as NRS, Scoop Aalen Hotelbetriebs GmbH, and KNP join the list.

Industry, region, size — the patterns are interchangeable. What united these companies was not what they produced, but what they did not have: a tested recovery strategy, segmented networks, working offline backups, and a rehearsed incident response plan.

What Businesses Should Do Now

The good news: the measures that work are well known. What is usually missing is not the knowledge, but the execution.

Systematically reduce the attack surface. Retire outdated software, disable unused services, grant access rights according to the principle of least privilege. Secure all external access points with multi-factor authentication — no exceptions.

Introduce zero-trust principles. Instead of a “castle-and-moat” mentality — trustworthy inside, dangerous outside — every access request is verified independently. This is not a single product, but an architectural decision that can be implemented step by step.

Early-warning systems with AI-based anomaly detection. Classic signature-based security software only recognizes what is already known. Modern systems learn the normal behavior of a network and raise the alarm when something is unusual — even for entirely new attack patterns.

Backups that actually work. The 3-2-1 rule (three copies, two media, one offline or immutable) is the minimum. What matters most: recovery must be tested regularly. A backup that cannot be restored when it counts is worthless.

Prepare an incident response plan and crisis communication. Who do you call in an emergency? Which external service provider is on retainer? Who speaks to the media? Who informs customers? These questions must be answered before a crisis hits.

Involve employees. The best technical protection fails on a phishing email that someone clicks. Regular, hands-on training is not a compliance checkbox, but one of the most cost-effective security measures there is.

Review cyber insurance. Insurance does not replace preventive measures, but in an emergency it can make the difference between a managed crisis mode and insolvency. Important: review the policy conditions carefully — many policies require certain security standards to be in place.

Conclusion: From “If” to “When” — and What Happens After

The Bitkom numbers make it clear: a cyberattack is no longer an abstract threat for German businesses, but a statistically highly probable event. The decisive question has shifted. It is no longer “Will we be attacked?” but “How well prepared are we when it happens?”

Cyber resilience is neither purely an IT topic nor a compliance topic alone. It is a strategic survival issue that belongs on the agenda of the executive leadership. Those who continue to treat the subject as a cost center are saving in the wrong place — the bill after a successful attack comes in many times higher than any prevention.

Fasana, Einhaus, Eu-Rec — these companies had decades of history, loyal customers, good products. What they did not have was enough time between the first click on the malicious email and the walk to the insolvency court.

That time can only be won beforehand. Not after.

Want to build your company’s cyber resilience systematically, or put existing measures to the test? Talk to us — a structured security check is the first step toward a resilient security strategy.

Schedule a free consultation

Sources: Bitkom Wirtschaftsschutz Study 2025 · BSI Report on the State of IT Security in Germany 2025 · Cisco Cybersecurity Readiness Index 2025 · Reporting by Security Insider, WDR, Kölner Stadt-Anzeiger, t-online, The Register (2025)