Check Point Research said global cyber attacks fell in May from the previous month, while ransomware incidents jumped 48% from a year earlier. The findings point to a shift in the threat landscape rather than a broad easing of risk.
Organisations faced an average of 2,055 weekly cyber attacks in May, down 7% from April but up 2% year on year, according to the company's latest monthly data. The drop in overall volume came alongside a sharp rise in ransomware and continued concern over sensitive data exposure linked to generative artificial intelligence tools used in the workplace.
Education remained the most targeted sector, with an average of 4,641 weekly attacks per organisation, up 7% from a year earlier. Government ranked second at 2,620 weekly attacks, followed by Telecommunications at 2,583. Both were broadly flat on an annual basis.
Several industries outside the usual list of heavily targeted sectors recorded faster growth. Agriculture rose 51% year on year to 2,243 weekly attacks per organisation. Hospitality, Travel and Recreation increased 24% to 2,291, and Construction and Engineering climbed 23% to 1,999.
Regional patterns also shifted. Latin America recorded the highest level of activity for another month, with 3,149 weekly attacks per organisation, up 13% year on year. Africa posted the steepest annual decline, down 20%, though attack volumes there remained elevated.
Ransomware rise
The sharpest change in May came in ransomware. Check Point Research recorded 698 reported ransomware attacks globally, up from 472 in the same month a year earlier.
Growth was spread across all major regions, with Asia up 119%, EMEA up 40% and the Americas up 39%. Business Services accounted for 35% of all ransomware victims and saw the steepest increase, rising 359% year on year from 54 incidents to 248 in a single month.
Consumer Goods and Services also recorded a large increase, up 223% from a year earlier, while Industrial Manufacturing rose 50%. North America accounted for 49% of reported ransomware incidents worldwide, followed by Europe at 22% and Asia-Pacific at 19%.
The United States accounted for 43% of all reported ransomware victims. Canada represented 5.6%, the United Kingdom 4.6%, Germany 4.0% and Spain 3.0%.
Fragmented groups
The ransomware market remained concentrated at the top but spread across a wide field of operators. The three biggest groups were responsible for 39% of reported attacks, while the remaining 61% was divided among 58 other active groups.
Qilin led in May with 14% of published attacks. The Gentlemen ranked second with 10%, despite having no recorded activity in the same month last year. DragonForce rose to third place with 8% after climbing five positions since the start of the year.
The data suggests the ransomware ecosystem is becoming more fragmented even as a small number of groups retain significant scale. The spread of activity across dozens of operators also points to a market in which affiliates can move between brands and infrastructure with relative speed.
AI exposure
Alongside attack and ransomware trends, the company highlighted growing exposure linked to workplace use of generative AI tools. One in 25 prompts sent from enterprise networks carried a high risk of sensitive data leakage, while 91% of organisations using such tools were regularly affected by that risk.
A further 22% of prompts contained potentially sensitive information. Organisations used an average of nine different generative AI tools during the month, and the average enterprise user sent 70 prompts.
Those figures underline a wider challenge for companies trying to manage cyber risk across multiple systems at once. Expanding digital operations in sectors such as agriculture, travel and construction are creating more points of exposure, while the spread of AI tools inside businesses is adding another channel through which data can escape.
The combination of lower headline attack volumes and rising ransomware activity may complicate how companies assess risk. A decline in total incidents can suggest temporary stability, but the May figures indicate that attackers are shifting methods, sectors and targets rather than stepping back.
The threat landscape is not pausing. It is reorganising.