Cyber attacks stay near record high as GenAI risks grow

Global cyber attack volumes stayed close to record highs in February 2026. Organisations faced an average of 2,086 attacks per week, according to new figures from Check Point Research.

The monthly average was broadly unchanged from January, down 0.2%. It still marked a 9.6% rise from February 2025, pointing to sustained pressure on corporate and public sector networks even as ransomware reports fell year on year.

Check Point linked the elevated activity to ongoing automated attacks and expanding digital infrastructure. It also pointed to new exposure from the widespread use of generative AI tools inside corporate networks.

"February's data shows that cyber risk is not episodic - it's continuous," said Robert Falzon, Head of Engineering for Check Point in Canada. "Even when ransomware activity fluctuates, attackers maintain constant pressure across industries and regions. At the same time, unmanaged GenAI usage continues to introduce new data exposure risks. Prevention-first, real-time protection powered by AI remains the most effective way to stop attacks before they cause operational or financial damage."

GenAI exposure

The research highlighted data leakage risks created by generative AI use in businesses. One in every 31 prompts submitted from corporate networks carried a high risk of exposing sensitive data. That pattern appeared in 88% of organisations that regularly used GenAI tools during the month.

The analysis also found that 16% of prompts contained potentially sensitive information, including internal documents, credentials, customer data and proprietary content.

Organisations used an average of 11 different GenAI tools over the past month. Many appeared to be unmanaged and operating outside formal governance frameworks. The average enterprise user generated 62 GenAI prompts per month, suggesting frequent day-to-day use.

For security teams, the figures add to visibility challenges. Many businesses have adopted multiple GenAI tools across departments, including consumer-grade services, specialist assistants, embedded AI features in established software, and niche tools that teams adopt without central approval.

Sector targeting

Education remained the most attacked sector in February, with institutions averaging 4,749 weekly attacks per organisation - a 7% increase from a year earlier.

Government entities averaged 2,714 weekly attacks per organisation, up 2% year on year. Telecommunications ranked third at 2,699 attacks per week, a 6% annual increase.

The figures suggest attackers continue to target organisations with large user populations and wide network perimeters. Schools and universities often manage mixed estates of legacy systems and new cloud services, while public sector bodies face similar complexity and sustained exposure. Telecoms operators remain attractive targets because of their central role in connectivity and extensive third-party supply-chain relationships.

Regional picture

Attack volumes were highest in Latin America, averaging 3,123 attacks per organisation per week. It also recorded the largest year-on-year increase, at 20%.

APAC followed with 3,040 attacks per week, up 3% annually. Africa recorded 2,993 attacks per week, down 7% year on year.

Europe saw an 11% year-on-year increase, while North America rose 9%. The data suggests mature markets continue to face growing pressure even as rapidly digitising economies attract high volumes of automated probing and exploitation attempts.

Security teams in all regions are adapting to a threat landscape in which attackers sustain a high operational tempo. Automated attacks can scan large address ranges and quickly target exposed services, leaving limited time to patch widely exploited vulnerabilities, fix misconfigurations, and reduce exposure across cloud services and remote access systems.

Ransomware trends

Ransomware remained one of the most disruptive threats in February, with 629 publicly reported attacks. That total was down 32% compared with February 2025.

Check Point attributed the year-on-year drop to an unusually large campaign linked to the Clop group in the same period last year. Without that spike, it said ransomware activity was broadly consistent year on year.

North America accounted for 57% of all reported ransomware incidents, while Europe and APAC each accounted for 17%. The concentration reflects a focus on regions with dense digital infrastructure and many potential targets, including mid-sized suppliers and service providers that can provide pathways into larger organisations.

By country, the United States represented 51% of global ransomware victims, followed by Canada at 6% and the UK at 2.7%.

Business Services was the most impacted industry, accounting for 37% of reported ransomware attacks. Consumer Goods & Services followed with 13%, and Industrial Manufacturing accounted for 9%.

The most active ransomware groups in February were Qilin at 15%, Clop at 13% and The Gentlemen at 11%, according to the data. In total, 49 different ransomware groups publicly impacted organisations during the month, underlining a fragmented ecosystem in which many groups compete for victims and recycle tactics, infrastructure and data-leak approaches.