Latin America Sees Sharpest Rise in Cyber Attacks in December 2025 as Ransomware Activity Accelerates

In December 2025, organizations experienced an average of 2,027 cyber attacks per organization per week. This represents a 1% month-over-month increase and a 9% year-over-year increase. While overall growth remained moderate, Latin America recorded the sharpest regional increase, with organizations experiencing an average of 3,065 attacks per week, a 26% increase year over year. The data points to sharper regional and sector-level spikes in activity, driven primarily by ransomware operations and expanding exposure linked to enterprise adoption of generative AI (GenAI). Latin America experienced the sharpest rise in cyber attacks globally, with organizations in the region facing an average of 3,065 attacks per week, a 26% year-over-year increase that outpaced all other regions. While global attack volumes rose more modestly, the regional surge underscores the growing impact of ransomware activity, alongside continued risk exposure associated with enterprise adoption of GenAI.

Education, government, and nonprofits remain top cyber attack targets

The education sector remained the most targeted industry in December, averaging 4,349 attacks per organization per week, representing a 12% year-over-year increase. The sector continues to face elevated risk due to large user populations, legacy infrastructure, and limited security resources.

The government sector ranked second with 2,666 weekly attacks per organization, up 2% YoY, followed closely by associations & nonprofits, which saw 2,509 attacks per organization per week, a sharp 56% year-over-year increase.

Latin America records the largest regional increase in cyber attacks

Regionally, Latin America recorded the highest average number of weekly cyber attacks per organization at 3,065, reflecting a 26% increase compared to December 2024, the largest year-over-year rise globally.

APAC followed with 3,017 weekly attacks per organization (+2% YoY), while Africa averaged 2,752 attacks, representing a 10% decrease year-over-year.

Europe and North America reported lower absolute attack volumes, with 1,677 and 1,438 weekly attacks per organization, respectively, though both regions experienced notable year-over-year growth (+9% in Europe, +15% in North America).

GenAI usage continues to expose sensitive data

Enterprise adoption of GenAI tools continues to introduce new data exposure risks. In December:

• 1 in every 27 GenAI prompts submitted from enterprise networks posed a high risk of sensitive data leakage.
• 91% of organizations using GenAI tools were affected by high-risk prompt activity.
• An additional 25% of prompts contained potentially sensitive information.
• Organizations used an average of 11 different GenAI tools during the month.
• The average enterprise user generated 56 GenAI prompts per month, underscoring the growing operational reliance on GenAI platforms.

Sensitive corporate data is increasingly being uploaded to third-party generative AI services without adequate controls, sanitization, or oversight, often outside established security governance. The data most frequently exposed includes personally identifiable information (PII), internal network and IT artifacts, and proprietary source code. With employees now using an average of 11 different GenAI tools, organizations need the ability to monitor and restrict what data is shared with each platform. These findings underscore how deeply GenAI is embedded in daily business operations—often without sufficient visibility, control, or governance—significantly increasing the risk of data loss and AI-enabled cyber attacks.

Ransomware attacks surge by 60% year-over-year

In December 2025, 945 ransomware attacks were publicly reported, representing a 60% increase from December 2024. This sharp rise underscores the continued dominance of ransomware as a primary threat vector.

North America was the most affected region, accounting for 52% of reported incidents, followed by Europe at 23%. The United States remained the most targeted country, responsible for 48% of reported ransomware victims, with the United Kingdom, Germany, and Canada each accounting for approximately 4–5%. From an industry perspective, business services was the most impacted sector (12% of victims), followed by construction & engineering and industrial manufacturing at 11% each.

Ransomware data is derived from publicly available victim disclosures on double-extortion ransomware “shame sites.” While these sources carry inherent bias, they offer valuable visibility into attacker activity and victimology.

Qilin leads ransomware activity in December

Among ransomware operators, Qilin emerged as the most active group in December, responsible for 18% of published attacks. Qilin, a long-established ransomware-as-a-service (RaaS) operation that has been active since 2022, has significantly expanded its affiliate recruitment and victim disclosures since early 2025.

LockBit5 ranked second with 12% of attacks, following a surge in victim listings in late December. Analysis indicates that many of these disclosures were duplicated from earlier incidents, a tactic previously observed in LockBit campaigns and likely intended to maintain visibility and interest among affiliates.

Akira, responsible for 7% of attacks, continued to target Windows, Linux, and ESXi environments. The group has increasingly focused on business services and industrial manufacturing organizations, supported by advanced Rust-based encryptors designed to evade analysis and optimize virtualized system targeting.

Outlook

December’s data reflects a threat landscape defined less by dramatic spikes in overall attack volume and more by persistent pressure from ransomware operations and systemic risk introduced by unmanaged GenAI usage. As organizations enter 2026, improving ransomware resilience and enforcing GenAI governance controls will remain critical priorities for reducing operational and data exposure risk.