Global cyberattack activity eased in May 2026 following April’s sharp rebound, but the broader threat landscape remained volatile, according to research from Check Point Research. Organizations experienced an average of 2,055 weekly cyberattacks during the month, representing a 2% increase year-over-year despite a 7% decline from April. Education remained the most targeted sector, averaging 4,641 weekly attacks per organization, while government and telecommunications also continued to face elevated attack volumes.
The report noted notable year-over-year increases in attacks targeting agriculture, hospitality, travel, recreation, and construction sectors as digitalization expands across these industries. The most significant trend was a sharp rise in ransomware activity. Check Point recorded 698 ransomware attacks globally in May, a 48% increase compared to the same month last year and the highest year-over-year growth rate recorded in 2026. Business services accounted for 35% of all ransomware victims, while consumer goods and industrial manufacturing also experienced substantial increases.
The report found that ransomware activity has become increasingly fragmented, with 61 active groups operating during the month. Qilin emerged as the most active ransomware group, responsible for 14% of published attacks, followed by The Gentlemen and DragonForce.
“The more interesting movement happened further down the list. Agriculture surged 51% year over year to 2,243 weekly attacks,” Check Point researchers detailed in a blog post. “Hospitality, Travel and Recreation climbed 24% to 2,291, and Construction and Engineering rose 23% to 1,999. These are not sectors anyone would have highlighted as cyber attack hotbeds two years ago. The growing digitization of their operations, combined with the sheer availability of automated attack tooling, is changing that calculation fast.”
They added that “Latin America held the top spot for another month running, with 3,149 weekly attacks per organization and a 13% year-over-year increase, as rapid digitalization continues to outpace security maturity across the region. Africa posted the most dramatic shift of any region, down 20% year over year, though volumes remain high enough to keep it firmly in the danger zone.”
Ransomware in May was dominated at the top, but remarkably spread out everywhere else. The top three groups accounted for 39% of reported attacks, all growing above the average rate. The other 61% was distributed across 58 additional active groups, a level of fragmentation that reflects just how industrialized and competitive the ransomware market has become.
Qilin led the field at 14% of published attacks, continuing its expansion following RansomHub’s retirement and the aggressive affiliate recruitment drive it has been running since early 2025. The Gentlemen secured second place at 10%, a striking position for a group that had zero recorded activity in May 2025.
“Founded in mid-2025 by a former Qilin affiliate, the group built its early reach around self-service access to approximately 14,000 pre-exploited FortiGate devices and has since grown into a top global threat in under a year,” Check Point reported. “Their May 2026 operator communications announced a tactical evolution away from brute-force EDR-killing toward surgical userland evasion, suggesting a group investing seriously in longevity. DragonForce climbed to third at 8%, having risen five positions since January 2026 by absorbing displaced RansomHub affiliates and running a white-label model that lets affiliates operate entirely independent brands on shared infrastructure.”
Enterprise GenAI adoption showed no signs of slowing in May, and neither did the exposure risks that come with it. One in every 25 GenAI prompts originating from enterprise networks carried a high risk of sensitive data leakage. The study found that 91% of organizations using GenAI tools on a regular basis were exposed to this risk. In addition, 22% of prompts contained potentially sensitive information. Organizations used an average of nine different GenAI tools during the month, while the average enterprise user submitted 70 GenAI prompts per month.
“If May had a headline, this was it. 698 ransomware attacks were reported globally, a 48% increase on May 2025, when 472 incidents were recorded. The growth landed across every region: Asia up 119%, EMEA up 40%, the Americas up 39%. This was not concentrated pressure from one geography or one group. It was broad-based acceleration,” the post highlighted. “Business Services bore the sharpest end of it, accounting for 35% of all ransomware victims and recording a year-over-year increase of 359%, from 54 incidents to 248 in a single month. Consumer Goods and Services grew 223%, and industrial manufacturing climbed 50% from last year.”
They added that “North America absorbed 49% of reported incidents globally, followed by Europe at 22% and APAC at 19%. The United States alone accounted for 43% of all reported ransomware victims, with Canada (5.6%), the United Kingdom (4.6%), Germany (4.0%), and Spain (3.0%) rounding out the top five.”
In conclusion, Check Point noted that the dip in overall volumes is real, but it is the wrong thing to anchor on. Underneath it, ransomware posted its biggest year-over-year leap of the year, new groups matured at a pace that has no real precedent in recent history, and sectors that once sat comfortably outside the crosshairs are now absorbing thousands of incidents per month.
Outlining that the threat landscape is not pausing, the researchers said it is reorganizing. “A prevention-first, AI-powered security strategy across cloud, network, endpoint, and user environments is not just best practice in that context. It is the only realistic response to a landscape that adapts faster than reactive models can follow.”
Last month, Check Point data detailed that the ransomware ecosystem showed signs of consolidation in the first quarter of 2026 after a period of heavy fragmentation. The top 10 ransomware groups accounted for 71% of all victims recorded during the quarter, marking a sharp reversal from the fragmented landscape observed in the third quarter of 2025. The findings suggest that ransomware activity is once again concentrating around a smaller number of dominant operators.
