Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd released its Global Threat Intelligence insights for March 2026, revealing that organisations worldwide experienced an average of 1,995 cyber-attacks per week.
Whilst this does represent a 5% modest drop compared to March 2025, this decline suggests short‑term stabilisation, rather than an indication of reduced attacker capability. Instead, it reflects how threat activity can shift between targets and techniques as adversaries rebalance campaigns, test new intrusion paths, and exploit the expanding digital footprint of modern organisations.
“March’s results may look like a breather, but attackers haven’t stepped back — they’ve simply shifted gears,” said Omer Dembinsky, Data Research Manager at Check Point Research. “As GenAI becomes a default workplace tool and ransomware groups maintain a steady operational tempo, organisations should plan for a future where risk is continuous, fast-moving, and increasingly shaped by automation. The most resilient organisations will be those that treat prevention as a system — reducing exposure, enforcing governance, and applying AI‑powered protection that can stop threats before they spread.”
Education, Government and Telecom Remain Prime Targets — While Travel Sector Surges
In March, the Education sector remained the most attacked industry globally, facing an average of 4,632 weekly attacks per organisation (‑6% YoY). Government organisations followed with 2,582 attacks per week (‑12% YoY), and Telecommunications ranked third with 2,554 attacks (‑10% YoY).
Notably, the Hospitality, Travel & Recreation sector recorded a 30% year‑over‑year increase, aligning with the ramp‑up into spring and summer travel. This seasonal shift typically expands the attack surface through increased digital transactions, higher third‑party dependency, and faster operational cadence — conditions that cybercriminals frequently exploit.
Latin America Demonstrates an Increase as Other Regions Decline
Regionally, Latin America recorded the highest attack volume, averaging 3,054 attacks per organisation per week, showing a year‑over‑year increase (+9% YoY). APAC ranked second with an average of 3,026 weekly attacks (‑4% YoY), followed by Africa with 2,722 weekly attacks per organisation (‑22% YoY). This was followed by Europe with 1,647 weekly attacks (‑7% YoY) and North America with 1,384 weekly attacks per organisation (‑8% YoY).
GenAI Adoption Accelerates Data Exposure Risks
Despite the dip in overall attacks, GenAI‑related risk continues to rise. In the month of March, 1 in every 28 GenAI prompts submitted from enterprise environments posed a high risk of sensitive data leakage, impacting 91% of organisations that use GenAI tools regularly. An additional 17% of prompts contained potentially sensitive information.
Over the past month, each organisation used an average of 9 different GenAI tools, while the typical user generated 78 prompts per month, underscoring how quickly AI has embedded into daily workflows — often ahead of governance and security controls.
Taken together, these figures show that risk is shifting from attack volume to impact, with sensitive data increasingly exposed through everyday GenAI interactions that often sit outside traditional security and governance controls. In effect, organisations are creating new, quieter exposure pathways at scale — increasing the likelihood of data leakage and downstream exploitation even without a conventional breach.
Ransomware Rises Month‑to‑Month, Reinforcing Ongoing Business Disruption Risk
Ransomware remained one of the most disruptive threats in March, with 672 publicly reported attacks. While this marks an 8% decrease compared to March 2025, it represents a 7% increase over February 2026, signalling renewed momentum month‑to‑month.
Business Services was the most targeted sector, accounting for 35% of ransomware incidents, followed by Consumer Goods & Services (14%) and Industrial Manufacturing (13%) — together representing 61% of reported victims.
In terms of ransomware attacks per region, North America was the most affected region, accounting for 55% of all reported ransomware incidents, followed by Europe at 24% and APAC at 12%. While North America remains the most affected region, Europe saw a notable increase, rising from 17% of all reported attacks in February 2026 to 24% this month.
Looking at country ransomware attacks, the United States was the most impacted country, accounting for 52% of the reported ransomware attacks followed by Germany with 5% and then France with 4%.
Ransomware Power Consolidates at the Top — While the Ecosystem Expands Beneath It
In March, ransomware activity was led by a small group of highly operational actors, with Qilin accounting for 20% of publicly reported attacks, followed by Akira (12%) and DragonForce (8%). While these three groups alone were responsible for 40% of all reported incidents, the broader picture is more concerning: 47 different ransomware groups publicly impacted organisations worldwide during the month.
This combination of concentration and fragmentation highlights a maturing ransomware ecosystem, where established Ransomware‑as‑a‑Service (RaaS) platforms continue to scale through affiliate recruitment, advanced tooling, and cross‑platform capabilities, while a growing number of smaller operators sustain pressure across industries. The result is a threat landscape that remains resilient, adaptive, and difficult to disrupt — even as individual groups rise and fall in prominence.
