New research from Check Point reveals that while global cyber attack volumes stabilized slightly during September, ransomware and generative AI (GenAI)-related risks surged, with ransomware rising 46%. Organizations faced an average of 1,900 cyber-attacks per week, a 4% decrease from August but still a 1% increase year-over-year. Although overall attack volumes appear steady, evolving techniques, shifting target industries, and the rapid growth of GenAI-related threats highlight an increasingly complex and dynamic cyber threat landscape.
The Check Point team noted that the education sector remained the most targeted, with an average of 4,175 weekly attacks per organization, a 3% decrease year-on-year, yet still far higher than any other sector. The telecommunications industry ranked second with 2,703 weekly attacks, marking a 6% rise year-on-year, followed closely by government institutions at 2,512 weekly attacks, reflecting a 6% decline year-on-year.
“These trends reaffirm that data-rich and service-critical sectors remain at the forefront of cyber criminal interest,” the post added. “Attackers continue to exploit their dependency on digital infrastructure and sensitive data flows, particularly in environments where hybrid work, cloud integration, and legacy systems coexist.”
Regionally, Check Point reported that Africa continued to experience the highest average number of attacks, though volumes fell 10% year-over-year to 2,902 weekly attacks per organization. Latin America followed closely with 2,826 weekly attacks, representing a 7% increase year-over-year, while the Asia-Pacific region registered 2,668 attacks, a 10% decline compared to the previous year. Europe saw an average of 1,577 weekly attacks, down 1% year-over-year, and North America recorded 1,468 attacks per week, marking the largest increase among all regions at 17%.
“The increasing integration of generative AI tools into enterprise workflows has introduced new vectors for data leakage,” Check Point disclosed. “In September, 1 in every 54 GenAI prompts from enterprise networks posed a high risk of sensitive data exposure — a threat that impacted 91% of organizations using GenAI tools regularly. Additionally, 15% of all prompts contained potentially sensitive information, including customer data, internal communications, or proprietary code snippets.”
Clearly, these findings underscore the urgent need for governance and security controls around GenAI adoption. Without adequate safeguards, productivity gains can come at the cost of significant data security risks.
September saw a sharp resurgence in ransomware activity, with a total of 562 attacks publicly reported, representing a 46% increase compared to September 2024. North America remained the most affected region, accounting for 54% of all reported incidents, followed by Europe at 19%. The U.S. alone accounted for 52% of cases, followed by Korea with 5%, the U.K. with 4%, and Germany with 4%.
Construction and engineering was the most impacted sector, representing 11.4% of victims, followed closely by business services at 11% and industrial manufacturing at 10.1%. Other key sectors, including financial services at 9.4%, healthcare at 8.4%, and consumer goods at 5.5%, also remained heavily targeted, reflecting ransomware’s continued diversification.
Providing insights from threat actor data leak sites, Check Point highlighted the current leading ransomware groups. Qilin, accounting for 14.1%, is one of the most established RaaS (ransomware-as-a-service) groups and has maintained consistent victim disclosures since 2022. Following RansomHub’s retirement, Qilin expanded its affiliate network, leveraging a Rust-based encryptor and an advanced RaaS panel for affiliates. Play, also known as PlayCrypt, represents 9.3% and targets organizations across North America, South America, and Europe, exploiting unpatched vulnerabilities, particularly in Fortinet SSL VPNs, and using living-off-the-land binaries (LOLBins) for stealth operations.
Furthermore, Akira accounts for 7.3% and has been active since early 2023; its Rust-based variant now targets Windows, Linux, and ESXi systems, focusing on business services and industrial manufacturing while implementing runtime controls and selective encryption to hinder detection and analysis. These actors demonstrate the current state of the ransomware ecosystem, where professionalized RaaS models and rapid tool development enable adversaries to scale operations faster than ever.
While overall attack volumes appear relatively stable, the data clearly shows that ‘attackers are intensifying their operations,’ refining techniques, and exploiting weaknesses across industries and regions, the researchers detected.
The researchers added that the 46% surge in ransomware activity, combined with the growing risks of data exposure through GenAI tools and continued targeting of education, manufacturing, and critical infrastructure, underscores the urgent need for organizations to strengthen their defenses.
