Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd., has released its Global Threat Intelligence insights for March 2026, showing that organisations worldwide experienced an average of 1,995 cyber attacks per week.
Ransomware remained one of the most disruptive threats in March, with 672 publicly reported attacks led by three highly operational actors – namely Qilin, which accounted for 20% of publicly reported attacks, followed by Akira (12%) and DragonForce (8%) all of which have been active in Africa. While these three groups alone were responsible for 40% of all reported incidents in March, the broader picture is more concerning: 47 different ransomware groups publicly impacted organisations worldwide during the month.
“The combined of concentration and fragmentation of ransomware groups highlights a maturing ecosystem, where established Ransomware-as-a-Service (RaaS) platforms continue to scale through affiliate recruitment, advanced tooling, and cross-platform capabilities, while a growing number of smaller operators sustain pressure across industries,” says Ian van Rensburg, Head: Security Engineering – Africa, Check Point Software Technologies.
“The result is a threat landscape that remains resilient, adaptive, and difficult to disrupt — even as individual groups rise and fall in prominence,” he adds.
Of the four African countries included in the survey, Nigeria had the highest number of attacks at 4,090 per organisation per week (-12% YoY), followed by Angola at 3,677 attacks per organisation per week (-19% YoY), then Kenya at 2,024 attacks per organisation per week (-53%), and finally South Africa at 1,922 (-19% YoY). Africa’s top three industry targets in March were Financial Services, Government, and Consumer Goods & Services.
“The above above average number of attacks in Africa serve a red flag for rapidly digitalising organisations on the continent, the most resilient of which will be those that treat prevention as a system — reducing exposure, enforcing governance, and applying AI-powered protection that can stop threats before they spread,” van Rensburg says.
Education, Government and Telecom Remain Prime Targets — While Travel Sector Surges
In March, the Education sector remained the most attacked industry globally, facing an average of 4,632 weekly attacks per organisation (-6% YoY). Government organisations followed with 2,582 attacks per week (-12% YoY), and Telecommunications ranked third with 2,554 attacks (-10% YoY).
Notably, the Hospitality, Travel & Recreation sector recorded a 30% year-over-year increase, aligning with the ramp-up into Northern Hemisphere spring and summer travel. This seasonal shift typically expands the attack surface through increased digital transactions, higher third-party dependency, and faster operational cadence — conditions that cybercriminals frequently exploit.
Latin America Demonstrates an Increase as Other Regions Decline
Regionally, Latin America recorded the highest attack volume, averaging 3,054 attacks per organisation per week, showing a year-over-year increase (+9% YoY). APAC ranked second with an average of 3,026 weekly attacks (-4% YoY), followed by Africa with 2,722 weekly attacks per organisation (-22% YoY). This was followed by Europe with 1,647 weekly attacks (-7% YoY) and North America with 1,384 weekly attacks per organisation (-8% YoY).
GenAI Adoption Accelerates Data Exposure Risks
Despite the dip in overall attacks, GenAI-related risk continues to rise. In the month of March, 1 in every 28 GenAI prompts submitted from enterprise environments posed a high risk of sensitive data leakage, impacting 91% of organisations that use GenAI tools regularly. An additional 17% of prompts contained potentially sensitive information.
Over the past month, each organisation used an average of 9 different GenAI tools, while the typical user generated 78 prompts per month, underscoring how quickly AI has embedded into daily workflows — often ahead of governance and security controls.
Taken together, these figures show that risk is shifting from attack volume to impact, with sensitive data increasingly exposed through everyday GenAI interactions that often sit outside traditional security and governance controls. In effect, organisations are creating new, quieter exposure pathways at scale — increasing the likelihood of data leakage and downstream exploitation even without a conventional breach.
“March’s results may look like a breather, but attackers haven’t stepped back — they’ve simply shifted gears,” said Omer Dembinsky, Data Research Manager at Check Point Research. “As GenAI becomes a default workplace tool and ransomware groups maintain a steady operational tempo, organisations should plan for a future where risk is continuous, fast-moving, and increasingly shaped by automation.”
