.webp)
Organisations worldwide faced an average of 2,090 cyber attacks per week in January 2026, as ransomware activity increased and broader use of generative AI tools raised the risk of data exposure, according to new research from Check Point Research.
The figure was up 3% from December and 17% year on year. Check Point attributed the rise to more frequent ransomware campaigns and gaps in governance around GenAI use on corporate networks.
"January's data shows that cyber attacks are not only increasing but becoming more refined and opportunistic," said Omer Dembinsky, data research manager at Check Point Research. "Ransomware operators are accelerating their campaigns while unchecked GenAI usage is opening new blind spots for organizations. Prevention-first, real-time protection powered by AI is the only effective way to stop attacks before they cause operational or financial damage."
GenAI exposure
GenAI adoption is creating new pathways for data leakage, the research found. One in every 30 GenAI prompts submitted from corporate networks posed what it described as a significant risk of exposing sensitive data. This pattern appeared in 93% of organisations using GenAI tools.
The research also pointed to a broader set of prompts containing potentially sensitive information, including internal documents, personal identifiers, customer information and proprietary source code.
Organisations used an average of 10 different GenAI tools per month. Many were likely unmanaged and outside formal governance structures, the report said. It linked this spread to a higher risk of accidental data spillover, as well as greater exposure to ransomware infiltration and AI-driven attacks.
Sector targeting
Education remained the most attacked sector globally in January, with institutions recording an average of 4,364 weekly attacks per organisation, up 12% year on year.
Government entities ranked second, averaging 2,759 weekly attacks per organisation. Telecommunications moved into third place, with 2,647 attacks per week on average. Check Point linked the rising pressure on telecoms to their role in connectivity infrastructure and the expansion of 5G ecosystems.
The attack volumes show threat actors continuing to focus on sectors with large user populations and complex networks. Schools and universities often manage many endpoints, diverse user groups and mixed IT estates. Public sector bodies and telecoms operators also tend to run widely distributed systems with large operational footprints.
Regional picture
Latin America recorded the highest attack volumes by region, averaging 3,110 attacks per organisation per week. That was a 33% year-on-year increase, the steepest growth rate in the report.
APAC followed with 3,087 attacks per organisation per week, up 7% year on year. Africa recorded 2,864 attacks per organisation per week, a 6% year-on-year decline.
In Europe, attacks rose 18% year on year, while North America increased 19%. The data suggests attack intensity continued to rise in major economies, even as ransomware disclosures remained concentrated.
Ransomware rise
Ransomware remained central to the threat landscape in January. Check Point counted 678 publicly reported ransomware incidents, a 10% increase compared with January 2025.
North America accounted for 52% of known cases, with Europe representing 24%. Check Point described this as continued attacker focus on higher-value economic regions.
The United States represented 48% of global ransomware victims in the disclosures tracked. The United Kingdom accounted for 5%, while Canada and Germany each represented 4%. Italy and Spain each accounted for 3%.
Industries affected
Business Services was the most impacted industry by ransomware disclosures, accounting for 33% of the total. Consumer Goods and Services followed with 15%, and Industrial Manufacturing represented 11%.
The distribution reflects continued targeting of organisations where downtime can have an immediate commercial impact. Ransomware groups often seek leverage through operational disruption and threats to publish stolen data.
Check Point identified Qilin, LockBit and Akira as the leading ransomware groups in January by share of victim disclosures. Qilin accounted for 15%, LockBit for 12%, and Akira for 9%.
The January results add to evidence that organisations face pressure on multiple fronts. Security teams are managing traditional threats such as phishing, credential theft and vulnerability exploitation alongside newer risks tied to rapid GenAI adoption and changing user behaviour.
In the coming months, security leaders are likely to face scrutiny over how they govern employee use of GenAI services, including which tools are in use and what data staff enter into prompts. The same period may also bring continued volatility in ransomware operations as groups change branding and tactics in response to law enforcement and disruption efforts.