A short-term decline in attack volumes masks deeper structural shifts, as ransomware accelerates and GenAI exposure risk expands across enterprises
Check Point Research, the threat intelligence arm of Check Point® Software Technologies Ltd., today released its Global Threat Intelligence insights for May 2026, revealing that organisations worldwide experienced an average of 2,055 cyber attacks per week, representing a 2% increase year on year, and a short term 7% decrease month on month.
Following the sharp rebound observed in April, May’s figures suggest a temporary easing in attack volumes rather than a sustained decline. While overall volumes moderated, ransomware activity and GenAI-related data exposure risk continued to rise, underscoring a threat landscape that remains highly active.
“May’s numbers show that lower volumes do not equate to lower risk,” said Omer Dembinsky, Data Research Manager at Check Point Research. “Attackers are continuously adapting, shifting their timing and techniques rather than slowing down. As ransomware scales and GenAI adoption accelerates across enterprises, organisations must assume constant exposure and prioritise prevention-first, AI-driven security strategies that can stop threats before impact.”
Education, Government and Telecommunications Remain Primary Targets as Emerging Sectors See Rapid Growth
In May, the Education sector once again ranked as the most targeted industry globally, facing an average of 4,641 weekly attacks per organisation, reflecting a 7% year-on-year increase. Large, open user environments, combined with limited security resources, continue to make educational institutions highly attractive targets for threat actors.
Government organisations followed with 2,620 weekly attacks, while Telecommunications ranked third with 2,583. Beyond these traditionally targeted sectors, Agriculture, Hospitality, Travel and Recreation, and Construction and Engineering also saw notable growth, showing how digital transformation is expanding the attack surface across a wider range of industries.
All Regions Maintain Pressure as Latin America Remains the Most Targeted Globally
Regionally, Latin America remained the most targeted region worldwide, averaging 3,149 weekly attacks per organisation and recording a 13% year-on-year increase. Rapid digitalisation, combined with uneven cybersecurity maturity, continues to drive sustained adversary focus across the region.
Africa recorded a year-on-year decline in activity but remained among the most targeted regions globally due to persistently high attack volumes. Elsewhere, activity stayed elevated despite the overall moderation observed in May.
GenAI Adoption Continues to Drive Data Exposure Risk at Scale
Despite the slight decline in overall attack volume, GenAI-related risk remained consistently high throughout May. Check Point Research found that one in every 25 GenAI prompts submitted from enterprise environments posed a high risk of sensitive data leakage, affecting 91% of organisations that regularly use GenAI tools. An additional 22% of prompts contained potentially sensitive information. Organisations used an average of nine different GenAI tools in May, while the typical enterprise user generated 70 prompts per month. This rapid adoption continues to outpace governance and security controls, increasing the likelihood of unintentional data exposure through everyday GenAI use.
Ransomware Activity Surges, Reinforcing Disruption Risk
Ransomware remained one of the most significant threats in May, with 698 publicly reported attacks, representing a 48% increase year on year. This marks the sharpest annual growth recorded in 2026, with increases observed across all regions. Business Services remained the most targeted sector, accounting for 35% of reported ransomware incidents, followed by Consumer Goods and Services and Industrial Manufacturing. North America recorded the highest share of activity, followed by Europe and APAC, which has more than doubled the amount of published incidents from last year.
Ransomware Power Remains Concentrated as the Ecosystem Continues to Expand
Ransomware activity in May was led by a small number of highly active groups, as the broader ecosystem also continued to expand. Qilin remained the most active group, followed by The Gentlemen and DragonForce, highlighting a ransomware market that continues to scale through both established operators and emerging entrants. This combination of concentration at the top and expansion beneath it highlights a resilient ransomware ecosystem, where established operators maintain dominance while a growing number of smaller actors sustain persistent pressure across industries.
For more insights into May 2026 cyber threat trends, visit https://blog.checkpoint.com/research/global-cyber-attacks-ease-in-may-2026-but-ransomware-surges-48-as-threats-reorganize/
Views: 92
Click Here For The Original Source.
