Ransomware Surges as Cyber Threats Spike in April 2026

Angola and Nigeria top the list of EMEA countries most targeted by cyber threat actors, while attacks to Financial Services and Government organisations in Africa intensified as GenAI-related data exposure continues to challenge enterprises.

Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. has released its Global Threat Intelligence insights for April 2026, revealing that organisations worldwide experienced an average of 2,201 cyber attacks per week, marking a 10% increase month over month and an 8% increase year over year.

Among the 26 EMEA countries surveyed in the report, Angola and Nigeria topped the list with 4 599 and 4 469 attacks per organisation per week, respectively, ahead of Russia (3 418) and Czechia (2 728). South Africa ranked 13th at 1 777 attacks per organisation per week, between Spain and Norway. Kenya ranked ninth between Israel and Austria with 2 244 attacks per organisation per week, down 39% YoY.

All Regions Record Growth as Latin America Continues to Lead Globally

Regionally, Latin America remained the most targeted region worldwide, averaging 3,364 weekly attacks per organisation, alongside a significant 20% year?over?year increase.  APAC followed with 3,213 weekly attacks (+4% YoY), while Africa averaged 2,940 weekly attacks, despite a 9% year?over?year decline, remaining among the most targeted regions globally. Europe recorded 1,848 weekly attacks (+9% YoY), and North America averaged 1,499 attacks per organization (+0.4% YoY).

“Notably, all regions experienced month?over?month increases, signaling broad?based resurgence rather than isolated spikes. However, Latin America and Africa with their rapid digitalisation combined with uneven security maturity continues to attract sustained adversary focus,” says Lorna Hardie, Regional Director: Africa, Check Point Software Technologies. “The renewed increase highlights how threat actors continue to recalibrate campaigns, leveraging automation, expanded digital footprints, and persistent exposure tied to cloud adoption and GenAI usage.”

Education, Government and Telecommunications Remain Primary Targets as Seasonal Sectors See Rising Pressure

In April, the Education sector once again ranked as the most targeted industry globally, facing an average of 4,946 weekly attacks per organisation, reflecting an 8% year?over?year increase.  Large, distributed user populations and limited security resources continue to make education environments highly attractive to attackers.  In Africa, Financial Services and Government were the most targeted sectors, followed by Consumer Goods & Services.

Government organisations globally suffered 2,797 weekly attacks, while Telecommunications ranked third with 2,728 attacks per week, recording a 3% year?over?year increase as threat actors seek scalable disruption and downstream access. Seasonally exposed sectors also continued to trend upward. Hospitality, Travel & Recreation sustained elevated activity as organisations ramp up operations ahead of peak travel periods, expanding the attack surface through increased digital transactions, third?party integrations, and accelerated operational tempo.

GenAI Adoption Continues to Drive Data Exposure Risk at Scale

Despite fluctuations in attack volume, GenAI?related risk remained consistently high throughout April. Check Point Research found that 1 in every 28 GenAI prompts submitted from enterprise environments posed a high risk of sensitive data leakage, impacting 90% of organisations that regularly use GenAI tools. An additional 19% of prompts contained potentially sensitive information.

During the month, organisations used an average of 10 different GenAI tools, while the typical enterprise user generated 77 prompts per month, underscoring how deeply GenAI has integrated into daily workflows — often faster than governance and security controls can adapt.

Together, these trends show that risk is increasingly shifting from attack frequency to exposure impact, with sensitive data leaking through everyday GenAI interactions that frequently fall outside traditional security visibility.

Ransomware Activity Expands Month Over Month, Reinforcing Disruption Risk

Ransomware remained one of the most disruptive threats in April, with 707 publicly reported attacks, representing a 5% increase month over month and a 12% increase year over year. Business Services continued to be the most targeted sector, accounting for 33.8% of reported ransomware incidents, followed by Consumer Goods & Services (14.4%) and Industrial Manufacturing (9.9%) sectors where downtime and data exposure translate directly into financial leverage.

Regionally, North America accounted for 46% of reported ransomware attacks, followed by Europe (27%) and APAC (17%), confirming sustained focus on high?value and highly regulated markets. At the country level, the United States remained the most impacted nation, representing 41.6% of reported ransomware attacks, followed by Germany (5.0%), Canada (4.8%), and Italy (4.0%).

Ransomware Power Remains Concentrated as the Ecosystem Expands

Ransomware activity in April was led by a small group of high?output operators. Qilin accounted for 15% of published attacks, followed by The Gentlemen (10%) and DragonForce (9%). While the top three groups represented 34% of reported incidents, a total of 56 different ransomware groups publicly impacted organisations worldwide during the month.

This combination of concentration at the top and expansion beneath it highlights a resilient ransomware ecosystem, where established Ransomware?as?a?Service platforms scale through affiliate recruitment and advanced tooling, while a growing number of smaller actors sustain persistent pressure across industries.

For more insights into April 2026 cyber threat trends, visit the Check Point Research Blog.