Attack Volumes Pull Back, But the Bigger Picture Tells a Different Story
In May 2026, global cyber-attack activity eased from April’s sharp rebound, though the underlying trends offer little genuine comfort. Organizations experienced an average of 2,055 weekly cyber-attacks, a 2% increase year over year and a short term 7% decrease month over month. While the monthly decline may read as stabilization, ransomware activity surged to its highest year-over-year growth rate of 2026, and GenAI-driven data exposure risks continued to deepen across enterprise environments.
Check Point Research data consistently shows that short-term volume moderation does not equal reduced risk. Adversaries keep recalibrating timing, tools, and targeting, and May is a clear example of that pattern.
The Sectors That Kept Taking the Hits
Education absorbed more attacks than any other industry in May, averaging 4,641 weekly attacks per organization, with year-over-year volumes climbing another 7%. The combination of open networks, high student turnover, and chronically stretched security budgets continues to make schools and universities an almost frictionless target. Government sat in second place at 2,620 weekly attacks, and Telecommunications followed at 2,583, both essentially where they were a year ago.
Where in the World Attacks Hit Hardest
The more interesting movement happened further down the list. Agriculture surged 51% year over year to 2,243 weekly attacks. Hospitality, Travel and Recreation climbed 24% to 2,291, and Construction and Engineering rose 23% to 1,999. These are not sectors anyone would have highlighted as cyber attack hotbeds two years ago. The growing digitization of their operations, combined with the sheer availability of automated attack tooling, is changing that calculation fast.
Latin America held the top spot for another month running, with 3,149 weekly attacks per organization and a 13% year-over-year increase, as rapid digitalization continues to outpace security maturity across the region. Africa posted the most dramatic shift of any region, down 20% year over year, though volumes remain high enough to keep it firmly in the danger zone.
GenAI: The Risk That Grows With Every New Tool Adopted
Enterprise GenAI adoption showed no signs of slowing in May, and neither did the exposure risks that come with it.
- 1 in every 25 GenAI prompts from enterprise networks carried a high risk of sensitive data leakage
- 91% of organizations using GenAI tools regularly were touched by this risk
- A further 22% of prompts contained potentially sensitive information
- Organizations ran an average of 9 different GenAI tools during the month
- The average enterprise user sent 70 GenAI prompts per month
Every new tool adopted without a governance framework in place is another surface where credentials, intellectual property, and internal data can slip out quietly. The exposure does not announce itself.
Ransomware Recorded Its Sharpest Year-Over-Year Jump of 2026
If May had a headline, this was it. 698 ransomware attacks were reported globally, a 48% increase on May 2025, when 472 incidents were recorded. The growth landed across every region: Asia up 119%, EMEA up 40%, the Americas up 39%. This was not concentrated pressure from one geography or one group. It was broad-based acceleration.
Business Services bore the sharpest end of it, accounting for 35% of all ransomware victims and recording a year-over-year increase of 359%, from 54 incidents to 248 in a single month. Consumer Goods and Services grew 223%, and Industrial Manufacturing climbed 50% from last year.
| Industry | Ransomware Victims |
| Business Services | 35.1% |
| Consumer Goods & Services | 15.5% |
| Industrial Manufacturing | 9.9% |
| Financial Services | 5.7% |
| Healthcare & Medical | 5.4% |
| Government | 4.3% |
| Information Technology | 3.9% |
| Education | 3.7% |
| Transportation & Logistics | 2.9% |
North America absorbed 49% of reported incidents globally, followed by Europe at 22% and APAC at 19%. The United States alone accounted for 43% of all reported ransomware victims, with Canada (5.6%), the United Kingdom (4.6%), Germany (4.0%), and Spain (3.0%) rounding out the top five.
Three Groups Led, But 61 Were Active
Ransomware in May was dominated at the top but remarkably spread out everywhere else. The top three groups accounted for 39% of reported attacks, all growing above the average rate. The other 61% was distributed across 58 additional active groups, a level of fragmentation that reflects just how industrialized and competitive the ransomware market has become.
Qilin led the field at 14% of published attacks, continuing its expansion following RansomHub’s retirement and the aggressive affiliate recruitment drive it has been running since early 2025. The Gentlemen secured second place at 10%, a striking position for a group that had zero recorded activity in May 2025. Founded in mid-2025 by a former Qilin affiliate, the group built its early reach around self-service access to approximately 14,000 pre-exploited FortiGate devices and has since grown into a top global threat in under a year. Their May 2026 operator communications announced a tactical evolution away from brute-force EDR-killing toward surgical userland evasion, suggesting a group investing seriously in longevity. DragonForce climbed to third at 8%, having risen five positions since January 2026 by absorbing displaced RansomHub affiliates and running a white-label model that lets affiliates operate entirely independent brands on shared infrastructure.
Reading May Correctly
The dip in overall volumes is real, but it is the wrong thing to anchor on. Underneath it, ransomware posted its biggest year-over-year leap of the year, new groups matured at a pace that has no real precedent in recent history, and sectors that once sat comfortably outside the crosshairs are now absorbing thousands of incidents per month. The threat landscape is not pausing. It is reorganizing. A prevention-first, AI-powered security strategy across cloud, network, endpoint, and user environments is not just best practice in that context. It is the only realistic response to a landscape that adapts faster than reactive models can follow.
