In September 2025, the global cyber threat landscape reflected a temporary stabilization in overall attack volumes — yet beneath the surface, ransomware activity and data risks linked to generative AI (GenAI) surged to new highs. Organizations worldwide faced an average of 1,900 cyber-attacks per organization per week, representing a 4% decrease compared to August, but still a 1% increase year-over-year.

While total attack volumes may appear steady, the evolution of attack techniques, industries under fire, and the rapid expansion of GenAI-related risks underline a shifting and increasingly complex threat environment.

Which Industries Are Being Hit the Hardest?

In September 2025, the education sector remained the most targeted, with an average of 4,175 weekly attacks per organization — a 3% decrease YoY, yet still far higher than any other sector.

The telecommunications industry ranked second with 2,703 weekly attacks, marking a 6% rise YoY, followed closely by government institutions at 2,512 weekly attacks, reflecting a 6% decline YoY.

These trends reaffirm that data-rich and service-critical sectors remain at the forefront of cyber criminal interest. Attackers continue to exploit their dependency on digital infrastructure and sensitive data flows, particularly in environments where hybrid work, cloud integration, and legacy systems coexist.

Regional Spotlight
  • Regionally, Africa continued to experience the highest average number of attacks, though volumes fell 10% year-over-year to 2,902 weekly attacks per organization.
  • Latin America followed closely with 2,826 attacks per week (+7% YoY), while APAC registered 2,668 (-10% YoY).
  • Europe saw 1,577 weekly attacks (-1% YoY), and North America recorded 1,468 (+17% YoY) — the largest increase among all regions.

The data highlights a widening regional polarization: while some regions are seeing temporary relief, others — especially North America — are grappling with a resurgence of sophisticated ransomware and data extortion campaigns.

GenAI Exposure: Data Risks on the Rise

The increasing integration of generative AI tools into enterprise workflows has introduced new vectors for data leakage.

In September, 1 in every 54 GenAI prompts from enterprise networks posed a high risk of sensitive data exposure — a threat that impacted 91% of organizations using GenAI tools regularly. Additionally, 15% of all prompts contained potentially sensitive information, including customer data, internal communications, or proprietary code snippets.

These findings underscore the urgent need for governance and security controls around GenAI adoption. Without adequate safeguards, productivity gains can come at the cost of significant data security risks.

Ransomware Escalation

September saw a sharp resurgence in ransomware activity. A total of 562 ransomware attacks were publicly reported — a 46% increase compared to September 2024.

(*) This data draws from ransomware “shame sites” operated by double-extortion ransomware groups, which publicly disclose victim information. While these sources have inherent biases, they provide valuable insights into the ransomware landscape.

  • North America remained the most affected region, accounting for 54% of all reported incidents, followed by Europe (19%).
  • The United States alone represented 52% of all cases, followed by Korea (5%), the United Kingdom (4%), and Germany (4%)
By industry:
  • Construction & engineering was the most impacted, representing 11.4% of victims.
  • Business services closely followed with 11%, and Industrial Manufacturing accounted for 10.1% of the reported attacks.
  • Other key sectors — including financial services (9.4%), healthcare (8.4%), and consumer goods (5.5%) — also remain heavily targeted, reflecting ransomware’s persistent diversification.

Ransomware Groups to Watch

Insights from threat actor data leak sites reveal the current leading ransomware groups:

  1. Qilin (14.1%) — One of the most established RaaS (ransomware-as-a-service) groups, Qilin has maintained consistent victim disclosures since 2022. After RansomHub’s retirement, Qilin expanded its affiliate network, leveraging a Rust-based encryptor and advanced RaaS panel for affiliates.
  2. Play (9.3%) — Also known as PlayCrypt, this group targets organizations across North America, South America, and Europe, exploiting unpatched vulnerabilities (notably in Fortinet SSL VPNs) and using living-off-the-land binaries (LOLBins) for stealth operations.
  3. Akira (7.3%) — Active since early 2023, Akira’s Rust-based variant now targets Windows, Linux, and ESXi systems. It continues to focus on business services and industrial manufacturing, implementing runtime controls and selective encryption to hinder detection and analysis.

These actors demonstrate of the state of the ransomware ecosystems, where professionalized RaaS models and rapid tool development enable adversaries to scale operations faster than ever.

The insights in this report come from Check Point’s ThreatCloud AI platform, which analyzes millions of indicators of compromise (IoCs) daily. Powered by over 50 AI-driven engines and fueled by intelligence from more than 150,000 networks and millions of endpoints worldwide, ThreatCloud AI provides one of the most comprehensive and real-time views of the global cyber threat landscape available today.

Check Point Perspective

While overall attack volumes appear relatively stable, the data clearly shows that attackers are intensifying their operations, refining techniques, and exploiting weaknesses across industries and regions.

The 46% surge in ransomware activity, combined with the growing risks of data exposure through GenAI tools and continued targeting of education, manufacturing, and critical infrastructure, underscores the urgent need for organizations to strengthen their defenses.

At Check Point Software, our research continues to highlight that the complexity and velocity of today’s cyber threats demand a multi-layered, prevention-first approach. Traditional detection alone is no longer sufficient — organizations need real-time, proactive security capable of stopping attacks before damage occurs.

As we look ahead, the message for every organization is clear: Adopt a prevention-first mindset, leverage advanced threat intelligence, and ensure protection across your entire environment — from network to cloud to endpoint. Only by staying ahead of adversaries can organizations effectively reduce risk and build lasting cyber resilience.

You may also like