Key Takeaways
- Overall weekly cyberattacks averaged 2,055 per organization in May 2026, down 7% from April but up 2% year‑over‑year.
- Education remained the most targeted sector (≈4,641 attacks/week/org), while agriculture, hospitality/travel/recreation, and construction showed the strongest YoY growth (≥23%).
- Ransomware activity spiked sharply: 698 global attacks in May 2026, a 48% increase YoY and the highest YoY growth recorded in 2026.
- The ransomware landscape is highly fragmented—61 active groups, with the top three (Qilin, The Gentlemen, DragonForce) accounting for only 39% of attacks.
- Latin America led regional attack volume (3,149 weekly attacks/org, +13% YoY); Africa saw a 20% YoY decline but remains high‑risk.
- Enterprise GenAI adoption continues, with 1 in 25 prompts posing a high‑risk data‑leakage threat; 91% of regular GenAI users are exposed, averaging nine tools and 70 prompts per user monthly.
- North America absorbed 49% of global ransomware incidents; the United States alone accounted for 43% of victims.
- Check Point stresses that a prevention‑first, AI‑powered security strategy across cloud, network, endpoint, and user environments is essential to counter a rapidly evolving threat landscape.
Overall Cyberattack Trends in May 2026
Global cyberattack activity eased in May 2026 after April’s sharp rebound, yet the threat environment stayed volatile. Check Point Research recorded an average of 2,055 weekly cyberattacks per organization during the month, reflecting a modest 2% increase compared with May 2025 but a 7% decline from the previous month. This slight year‑over‑year rise indicates that, despite short‑term fluctuations, adversaries continue to sustain pressure on enterprises worldwide. The data suggest that attackers are adapting their tactics and volumes rather than simply scaling back, underscoring the need for continuous vigilance and adaptive defenses.
Sector‑Specific Attack Volumes
Education remained the most heavily targeted sector, with organizations facing an average of 4,641 weekly attacks per entity. Government and telecommunications also persisted at elevated levels, though they did not surpass education’s intensity. Notably, industries traditionally viewed as lower‑risk experienced significant year‑over‑year growth: agriculture surged 51% to 2,243 weekly attacks; hospitality, travel, and recreation rose 24% to 2,291; and construction and engineering climbed 23% to 1,999. These increases are attributed to rapid digitization paired with the widespread availability of automated attack tooling, which together are reshaping the threat profile of once‑quiet sectors.
Ransomware Surge and Fragmentation
The most striking development in May 2026 was the sharp rise in ransomware activity. Check Point logged 698 ransomware attacks globally—a 48% increase over May 2025 and the highest year‑over‑year growth rate observed in 2026. Business services bore the brunt, representing 35% of all ransomware victims and posting a staggering 359% YoY jump (from 54 to 248 incidents). Consumer goods and services grew 223%, while industrial manufacturing increased 50%. Despite the overall dip in total cyberattack volume, ransomware’s expansion signals a strategic shift by threat actors toward extortion‑focused campaigns.
Ransomware Group Landscape
The ransomware ecosystem remained markedly fragmented, with 61 active groups operating during the month. The top three groups—Qilin, The Gentlemen, and DragonForce—collectively accounted for only 39% of reported attacks, indicating that the majority of incidents (61%) were spread across 58 additional actors. This dispersion reflects an industrialized and competitive ransomware market where numerous smaller groups vie for affiliates and victims, reducing reliance on a handful of dominant syndicates.
Qilin’s Leadership and Emerging Competitors
Qilin led the field, responsible for 14% of published ransomware attacks in May 2026, continuing its expansion following the retirement of RansomHub and an aggressive affiliate recruitment drive launched in early 2025. The Gentlemen secured second place at 10%, a remarkable ascent for a group that recorded zero activity in May 2025. Founded by a former Qilin affiliate in mid‑2025, The Gentlemen initially leveraged self‑service access to roughly 14,000 pre‑exploited FortiGate devices and has since evolved toward sophisticated, low‑noise tactics. DragonForce claimed third place at 8%, having risen five positions since January 2026 by absorbing displaced RansomHub affiliates and offering a white‑label model that lets affiliates operate independent brands on shared infrastructure.
Regional Attack Patterns
Latin America retained the top spot for regional attack volume, averaging 3,149 weekly attacks per organization and posting a 13% year‑over‑year increase, driven by rapid digitalization that outpaces security maturity. Africa exhibited the most dramatic shift, with a 20% YoY decline; however, absolute volumes remain high enough to keep the region in the danger zone. Asia, EMEA, and the Americas all contributed to the ransomware surge, with Asia up 119%, EMEA up 40%, and the Americas up 39% YoY, demonstrating that the ransomware acceleration was broad‑based rather than geographically concentrated.
Enterprise GenAI Adoption and Data Leakage Risks
Enterprise adoption of generative AI (GenAI) showed no signs of slowing in May 2026, but the associated exposure risks persisted. The study found that one in every 25 GenAI prompts originating from corporate networks carried a high risk of sensitive data leakage, and 91% of organizations regularly using GenAI tools were exposed to this threat. Furthermore, 22% of all prompts contained potentially sensitive information. On average, enterprises employed nine different GenAI tools, and each user submitted roughly 70 prompts per month. These figures highlight that while GenAI drives productivity, it also expands the attack surface for data exfiltration unless robust controls and monitoring are enforced.
Geographic Distribution of Ransomware Victims
North America absorbed the lion’s share of global ransomware incidents, accounting for 49% of reported attacks. The United States alone contributed 43% of all victims, with Canada (5.6%), the United Kingdom (4.6%), Germany (4.0%), and Spain (3.0%) completing the top five. Europe followed with 22% of incidents, and the Asia‑Pacific region accounted for 19%. This distribution underscores that economically advanced regions remain prime targets for ransomware operators, likely due to higher perceived payoff and greater digital asset density.
Strategic Implications and Recommendations
Check Point concludes that the decline in overall attack volumes is a superficial metric; the underlying dynamics reveal a ransomware landscape undergoing its biggest year‑over‑year leap of the year, rapid maturation of new threat groups, and encroachment into sectors previously considered low‑risk. The researchers argue that a reactive security posture cannot keep pace with an adversary ecosystem that evolves faster than traditional defenses can adapt. Instead, they advocate a prevention‑first, AI‑powered security strategy that spans cloud, network, endpoint, and user environments. Such an approach leverages predictive analytics, automated threat hunting, and real‑time policy enforcement to anticipate and block attacks before they materialize, offering the only realistic response to a threat landscape that is continuously reorganizing.
Conclusion
May 2026 presented a paradox: while total weekly cyberattacks dipped slightly month‑over‑month, the year‑over‑year trajectory showed rising ransomware intensity, sector‑specific spikes, and a highly fragmented threat actor base. Education remained the top target, but agriculture, hospitality/travel/recreation, and construction experienced the fastest growth, illustrating how digitization widens the attack surface. Ransomware groups proliferated, with Qilin, The Gentlemen, and DragonForce leading a market where dozens of smaller actors share the burden of aggression. Regional disparities persisted, with Latin America leading in volume and Africa showing a notable decline. Meanwhile, enterprise GenAI adoption introduced new data‑leakage risks that affect the vast majority of users. To navigate this evolving reality, organizations must shift from reactive to preventive, AI‑driven security measures that protect across all layers of their digital estate. Only by doing so can they hope to stay ahead of a threat landscape that is not pausing but constantly reconfiguring itself.