Every Region Recorded Higher Attack Volumes in April
In April 2026, global cyber-attack activity rebounded sharply following the brief moderation observed in March. Organizations experienced an average of 2,201 weekly cyber-attacks, representing a 10% increase month over month and an 8% increase year over year. This reversal underscores the volatility of today’s threat landscape. After three consecutive months of gradual decline, April’s data confirms that the earlier easing was temporary rather than structural. Attackers continue to leverage automation, expanded digital footprints, and exposed cloud and GenAI environments to sustain elevated pressure across industries and regions.
Check Point Research data shows that cyber threats have not stabilized at lower baselines. Instead, adversaries are rapidly adjusting timing and targeting strategies, reinforcing that short-term fluctuations do not equate to reduced operational risk.
In India, organizations experienced an average of over 3,300 cyber-attacks per week over the last six months, significantly higher than the global average of 2,064 weekly attacks per organization. The data highlights how Indian enterprises continue to face elevated cyber risk exposure amid rapid digital expansion, growing cloud adoption, and increasingly distributed enterprise environments.
Critical Sectors Face Renewed and Intensifying Pressure
The Education sector remained the most targeted industry in April, with organizations facing an average of 4,946 weekly attacks, marking an 8% year-over-year increase. Large user populations, highly distributed access environments, and constrained security resources continue to make educational institutions prime targets. The Government sector ranked second, averaging 2,797 weekly attacks, reflecting a marginal 1% decrease year over year. While volumes stabilized slightly, government organizations remain high-value targets due to critical public services and sensitive data exposure.
Telecommunications followed closely with 2,728 weekly attacks, recording a 3% year-over-year increase, as threat actors continue seeking scalable disruption and downstream access through service providers. Notably, Hospitality, Travel & Recreation continued their upward trajectory, aligning with seasonal demand growth. As transaction volumes rise ahead of peak travel periods, attackers appear to be accelerating activity to exploit increased customer data exposure and operational dependencies.
India’s sectoral threat landscape reflects even higher concentration across critical industries. Education emerged as the most impacted sector in India, recording over 7,181 weekly attacks per organization in the last month, followed by Government (4,634), Construction & Engineering (3,858), Consumer Goods & Services (3,567), and Business Services (3,485). Telecommunications, Energy & Utilities, Information Technology, and Financial Services also remained heavily targeted, indicating sustained attacker focus on digitally interconnected and operationally critical sectors.
Regional Threat Imbalances Widen as All Regions See Growth
April’s regional data reveals a broad-based resurgence in cyber activity, with every region experiencing month-over-month increases.
Latin America remained the most targeted region globally, averaging 3,364 weekly attacks per organization, alongside a 20% year-over-year increase. Rapid digital expansion and uneven security continue to fuel its attractiveness to threat actors.
APAC followed with 3,213 weekly attacks, reflecting a 4% year-over-year increase, while Africa recorded 2,940 weekly attacks, despite a -9% year-over-year decline, remaining among the most targeted regions worldwide.
|
Region |
Weekly Attacks per Organization |
YoY Change |
|
Latin America |
3364 |
+20% |
|
APAC |
3213 |
+4% |
|
Africa |
2940 |
-9% |
|
Europe |
1848 |
+9% |
|
North America |
1499 |
+0.4% |
Europe and North America both saw renewed growth compared to March, reinforcing that even mature markets continue to face persistent baseline pressure rather than meaningful relief.
GenAI Adoption Continues to Elevate Data Exposure Risk
Enterprise GenAI usage remained widespread throughout April 2026, sustaining high levels of data leakage risk despite broader threat volatility. Key GenAI exposure indicators include:
- 1 in every 28 GenAI prompts posed a high risk of sensitive data leakage
- 90% of organizations using GenAI tools regularly were impacted by this risk
- An additional 19% of prompts contained potentially sensitive information
- Organizations used an average of 10 different GenAI tools, highlighting fragmented adoption
- The average enterprise user generated 77 GenAI prompts per month
While overall interaction volumes remained stable compared to March, exposure risk persists due to limited visibility, decentralized usage, and insufficient governance. Without centralized controls, organizations remain vulnerable to credential leakage, intellectual property exposure, and unintended third‑party risk propagation.
Ransomware Activity Expands Month Over Month
In April 2026, 707 ransomware attacks were reported globally, reflecting a 5% increase month over month and a 12% increase year over year. This continued growth confirms that ransomware remains a core monetization vector despite broader tactical shifts.
North America was the most affected region, accounting for 46% of reported incidents, followed by Europe (27%) and APAC (17%), indicating sustained focus on high-revenue and highly regulated markets.
India continues to experience materially higher ransomware exposure compared to global averages. Over the last six months, ransomware impacted an average of 7.0% of organizations in India, compared to the global average of 3.6%. The broader malware ecosystem in India also remained elevated, with botnet activity impacting 17.3% of organizations, infostealer malware impacting 7.5%, and banking malware impacting 4.3% of organizations on average.
Ransomware Targeting Remains Concentrated in High-Impact Industries
Business Services continued to dominate ransomware targeting, accounting for 33.8% of victims, followed by Consumer Goods & Services (14.4%) and Industrial Manufacturing (9.9%).
Together, these sectors represent environments where downtime, operational disruption, and data exposure translate directly into financial leverage, making them consistently attractive to ransomware operators. Healthcare, Financial Services, and Government each increased their relative share compared to earlier months, reinforcing the gradual expansion of ransomware targeting beyond traditional strongholds.
|
Industry |
Ransomware Victims |
|
Business Services |
33.8% |
|
Consumer Goods & Services |
14.4% |
|
Industrial Manufacturing |
9.9% |
|
Healthcare & Medical |
5.8% |
|
Financial Services |
5.7% |
|
Government |
4.0% |
|
Transportation & Logistics |
3.5% |
|
Information Technology |
3.5% |
|
Education |
3.1% |
|
Automotive |
3.1% |
|
Real Estate, Rentals, & Leasing |
2.1% |
|
Telecommunications |
1.7% |
|
Media & Entertainment |
1.6% |
|
Construction & Engineering |
1.0% |
|
Energy & Utilities |
0.9% |
|
Hospitality, Travel, & Recreation |
0.9% |
Ransomware Remains Globally Distributed Despite Regional Concentration
At the country level, the United States remained the most impacted nation, accounting for 41.6% of reported ransomware attacks, followed by Germany (5.0%), Canada (4.8%), Italy (4.0%), and the United Kingdom (3.8%).
The breadth of affected countries across North America, Europe, Asia, and Latin America highlights ransomware’s continued global reach, even as activity remains concentrated in a limited number of high-value markets
|
Country |
Ransomware Victims |
|
United States |
41.6% |
|
Germany |
5.0% |
|
Canada |
4.8% |
|
Italy |
4.0% |
|
United Kingdom |
3.8% |
|
France |
3.8% |
|
Spain |
3.1% |
|
Australia |
2.7% |
|
Thailand |
1.8% |
|
Brazil |
1.7% |
Leading Ransomware Groups Maintain Fragmented Dominance
Ransomware activity in April remained fragmented, though dominated by a small group of high-output operators. Qilin led activity, responsible for 15% of published attacks, followed by The Gentlemen (10%) and DragonForce (9%). While the top three groups accounted for 34% of reported incidents, a total of 56 different ransomware groups publicly impacted organizations worldwide last month—underscoring the breadth and resilience of the ransomware ecosystem.
- Qilin: Qilin is one of the most established RaaS groups, with a consistent track record of victim disclosures dating back to 2022. Originally operating under the name “Agenda”, the group rebranded as “Qilin” by September 2022, introducing a Rust-based encryptor and expanding its RaaS infrastructure. It provides affiliates with a full-featured toolkit via a dedicated administrative panel, including an encryptor, negotiation infrastructure, and support services. Following RansomHub’s retirement, Qilin intensified its affiliate recruitment efforts and, since March 2025, has significantly increased the volume of victim listings on its data leak site (DLS).
- The Gentlemen: It is a fast-growing Ransomware-as-a-Service operation founded in mid-2025 by a Russian-speaking operator (Hastalamuerte) who previously worked as an affiliate across Qilin, Embargo, LockBit, Medusa, and BlackLock before launching his own platform after a dispute with Qilin. The group openly recruits affiliates in various forums and uniquely functions as both a RaaS provider and an Initial Access Broker, offering affiliates self-service access to approximately 14,000 pre-exploited FortiGate devices (CVE-2024-55591). With over 320 DLS-claimed victims and an estimated 1,570+ actual compromises revealed through Check Point Research’s analysis, The Gentlemen shas established itself as a top-7 global ransomware threat in under a year. The group’s cross-platform lockers target Windows, Linux, and ESXi (C-based), and their latest May 2026 operator communication announces a shift from blunt-force BYOVD-based EDR killing to surgical userland evasion techniques. The group’s geographic targeting is notably atypical, with the US representing only 12% of victims (vs 50% ecosystem average), reflecting a device-driven victim selection model shaped by the FortiGate stockpile rather than deliberate geographic preference.
- DragonForce: It is a ransomware RaaS, self-proclaimed as “cartel” that pioneered a white-label infrastructure model, enabling affiliates to operate independent brands using DragonForce’s encryption, negotiation portals, and data leak sites. Ranked sixth by victim volume with 426 DLS postings and accelerating activity (56 victims in March 2026 alone), the group operates two distinct encryption variants – a Conti V3 fork using ChaCha8 and a LockBit 3.0 derivative using RSA-1024 and Salsa20. DragonForce absorbed displaced RansomHub affiliates in April 2025 and partnered with Scattered Spider for social engineering campaigns that struck major United Kingdom retailers including Marks & Spencer and Co-op. While the group announced a strategic alliance with LockBit and Qilin in September 2025, no joint operations have been observed, suggesting this is primarily a positioning move.
What April’s Trends Reveal About the Threat Landscape
April 2026 confirms that cyber threats are not stabilizing—they are oscillating with increasing intensity. The rebound in global attack volumes, continued expansion of ransomware activity, and persistent GenAI-driven exposure risks illustrate a threat environment defined by adaptability rather than predictability.
At Check Point Research, our research shows that temporary declines should not be mistaken for reduced risk. Attackers continue refining precision, timing, and targeting, exploiting seasonal demand cycles, emerging technologies, and governance gaps.
In this environment, reactive security models remain insufficient. A prevention-first, AI-driven, multi-layered security strategy—spanning cloud, network, endpoint, and user environments—is essential to reducing exposure and sustaining cyber resilience. Staying ahead now requires anticipating attacker behavior, not merely responding after impact.