In May 2026, global cyber-attack activity eased slightly from April’s sharp rebound, though the broader threat landscape remained volatile. Organisations experienced an average of 2,055 weekly cyber-attacks, reflecting a 2% year-over-year increase and a 7% month-over-month decline. While overall volumes moderated, ransomware activity recorded its highest year-over-year growth rate of 2026, while GenAI-related data exposure risks continued to expand across enterprise environments.
Short-term declines in attack volumes did not translate into reduced risk, as threat actors continued adapting their timing, tools, and targeting strategies.
The education sector remained the most targeted industry in May, averaging 4,641 weekly attacks per organisation, up 7% year over year. Government organisations followed with 2,620 weekly attacks, while telecommunications recorded 2,583.
Some of the sharpest increases emerged in sectors not traditionally viewed as major cyberattack targets. Agriculture saw a 51% year-over-year rise to 2,243 weekly attacks. Hospitality, travel, and recreation increased 24% to 2,291, while construction and engineering rose 23% to 1,999. Increasing digitisation and wider availability of automated attack tools are contributing to the shift.
Latin America remained the most targeted region, recording 3,149 weekly attacks per organisation, up 13% year over year. Africa experienced a 20% decline in attack volumes, though activity levels remained elevated.
Enterprise adoption of GenAI tools also continued accelerating in May, alongside growing concerns around sensitive data exposure. One in every 25 GenAI prompts originating from enterprise networks carried a high risk of sensitive data leakage, while 91% of organisations using GenAI tools were exposed to some level of risk. Additionally, 22% of prompts contained potentially sensitive information. Organisations used an average of nine GenAI tools during the month, with enterprise users submitting around 70 prompts per month on average.
Ransomware activity recorded one of the sharpest increases of the year, with 698 incidents reported globally in May, a 48% increase from 472 incidents in May 2025. Growth was observed across all major regions, including Asia, EMEA, and the Americas.
Business Services accounted for the largest share of ransomware victims at 35%, recording a 359% year-over-year increase from 54 to 248 incidents. Consumer Goods and Services rose 223%, while Industrial Manufacturing increased 50%.
North America accounted for 49% of reported ransomware incidents globally, followed by Europe at 22% and APAC at 19%. The United States alone represented 43% of all reported ransomware victims, followed by Canada, the United Kingdom, Germany, and Spain.
Ransomware activity also remained highly fragmented. While the top three groups accounted for 39% of published attacks, 58 additional groups were active during the month, reflecting the increasingly decentralised and competitive nature of the ransomware ecosystem.
Qilin accounted for 14% of published attacks and continued expanding following the decline of RansomHub. The Gentlemen emerged as the second most active group at 10%, despite having no recorded activity in May 2025. DragonForce ranked third at 8%, gaining traction by attracting affiliates displaced from other ransomware operations.
Although overall attack volumes declined modestly in May, ransomware activity intensified, newer threat groups matured rapidly, and sectors previously considered lower-risk experienced significant increases in attacks. The broader threat environment continued evolving, with attackers adapting faster than many traditional security and response models.
Click Here For The Original Source.
