Johannesburg, SA – March 11 2025 – Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd, has released its Global Threat Intelligence insights for February 2026, revealing that organisations worldwide faced an average of 2,086 cyber attacks per week. This represents an overall 9.6% increase compared to February 2025, while remaining essentially stable month-over-month compared to January 2026 (-0.2%).
Of the four African countries included in the monthly insights, Nigeria continues to have the highest number of attacks at 4,326 per organisation per week (-1% YoY), followed by Angola at 3,937 attacks per organisation per week (-13% YoY), and then Kenya at 2,577 attacks per organisation per week (-37% YoY). Although South Africa had the fewest attacks per organisation per week, at 2,204, the figure represents a 22% YoY increase. Overall, Africa recorded 2,993 attacks per organisation per week (-7% YoY).
The top three most attacked sectors in Africa in February were Financial Services, Government, and Consumer Goods & Services.
"South African organisations are under acute pressure to stave off persistent cyber threats," says Lorna Hardie, Regional Director: Africa for Check Point Software Technologies.
"Unmanaged GenAI usage continues to introduce new data exposure risks. Prevention-first, real-time protection powered by AI remains the most effective way to stop attacks before they cause operational or financial damage," she adds.
The February findings confirm that global cyber pressure has stabilised at historically high levels. While ransomware activity declined year over year due to an anomalous campaign observed in early 2025, overall attack volumes remain near record highs, driven by persistent automated attacks, expanding digital infrastructures, and widening exposure linked to the widespread use of Generative AI (GenAI) tools.
“February’s data shows that cyber risk is not episodic — it’s continuous,” said Omer Dembinsky, Data Research Manager at Check Point Research. “Even when ransomware activity fluctuates, attackers maintain constant pressure across industries and regions.”
GenAI adoption continues to drive data exposure risks while education remains the top target
The rapid adoption of GenAI tools across enterprises continues to introduce high-risk data leakage pathways. During February, one in every 31 GenAI prompts submitted from corporate networks posed a high risk of sensitive data exposure, impacting 88% of organisations that regularly use GenAI tools. An additional 16% of prompts contained potentially sensitive information, including internal documents, credentials, customer data, and proprietary content.
Organisations used an average of 11 different GenAI tools over the past month, many of which are likely unmanaged and operating outside formal governance frameworks. Meanwhile, the average enterprise user generated 62 GenAI prompts per month, highlighting how deeply AI-driven workflows are embedded into daily operations — often without sufficient visibility or controls.
The Education sector remained the most attacked globally, with institutions averaging 4,749 weekly attacks per organisation (+7% YoY). Government entities followed with 2,714 weekly attacks (+2% YoY). Telecommunications ranked third, facing 2,699 attacks per week (+6% YoY), reflecting sustained targeting of connectivity-driven infrastructures and 5G-enabled ecosystems.
Regional attack volumes remain concentrated in rapidly digitising economies
Regionally, Latin America recorded the highest attack volumes, averaging 3,123 attacks per organisation per week, alongside the largest year-over-year increase globally (+20%). APAC followed with 3,040 attacks per week (+3% YoY), while Africa recorded 2,993 attacks (-7% YoY).
Europe experienced an 11% year-over-year increase, while North America saw a 9% rise, confirming that mature markets continue to face sustained and growing cyber pressure alongside emerging digital economies.
Ransomware threat landscape: Activity declines year over year but risk persists
Ransomware remained one of the most disruptive cyber threats in February, with 629 publicly reported attacks, reflecting a 32% decrease compared to February 2025. This decline is largely attributed to an unusually large ransomware campaign conducted by the Clop group during the same period last year. Excluding that anomalous event, ransomware activity remains broadly consistent year over year.
North America accounted for 57% of all reported ransomware incidents, followed by Europe (17%) and APAC (17%), confirming that attackers continue to prioritise regions with dense digital infrastructure and high-value economic targets.
At the country level, the United States represented 51% of global ransomware victims, followed by Canada (6%) and the United Kingdom (2.7%). While activity remains heavily concentrated in North America, the most impacted countries span multiple continents, underscoring the global reach of ransomware operations.
Across industries, Business Services was the most impacted sector (37%), followed by Consumer Goods & Services (13%) and Industrial Manufacturing (9%) industries where operational disruption provides significant leverage for extortion.
The leading ransomware groups in February were Qilin (15%), Clop (13%), and The Gentlemen (11%), collectively responsible for a substantial share of victim disclosures. Notably, 49 different ransomware groups publicly impacted organisations worldwide during the month, highlighting the scale and fragmentation of the ransomware ecosystem.
For more insights into February 2026 cyber threat trends, visit the Check Point Research Blog.
Follow Check Point on LinkedIn, X (formerly Twitter), Facebook, YouTube and our blog.
