A New Ransomware Leader Emerges as June 2026 Attack Volumes Climb Worldwide

A Global Rebound That Reaches Every Region

June reversed the brief calm of May. Organizations faced an average of 2,270 weekly cyber attacks, a 10% rise from the previous month and a 17% increase compared with June last year. What makes this month notable is not just the size of the jump but its reach. Rather than one region or sector absorbing the bulk of the growth, the increase showed up almost everywhere at once, suggesting attackers spread their effort wider rather than concentrating it.

Which Industries Faced the Most Attacks?

Education remained the most targeted sector, with organizations facing an average of 4,816 weekly attacks, a 16% climb from June 2025. Open campus networks, constant device turnover, and thin security budgets keep making schools and universities an easy draw for attackers. Government followed at 2,836 weekly attacks, up 5%, and Telecommunications came in close behind at 2,835, a 13% rise. Together these three sectors continue to absorb a disproportionate share of global attack volume, a pattern that has held steady across recent months even as the specific numbers shift.

Which Regions Saw the Sharpest Increase?

Latin America held its position as the most attacked region, with organizations reporting 3,501 weekly attacks on average, a 27% increase over June 2025. APAC followed at 3,060, a smaller 5% rise, while Africa posted 3,008 weekly attacks, down 9% from a year earlier, its only decline among the five regions tracked. Europe and North America both saw sharp jumps, up 22% and 14% respectively, pushing every region into growth except Africa.

RegionWeekly Attacks per OrganizationYoY Change
Latin America3,501+27%
APAC3,060+5%
Africa3,008-9%
Europe2,003+22%
North America1,612+14%

GenAI Exposure: Where the Risk Concentrates

GenAI exposure has become one of the clearest examples of how everyday business behavior can create security risk. In this context, the risk is not about attackers using AI or flaws in the models themselves. It is about what employees place into prompts: customer records, internal documents, infrastructure details, legal material, financial data, or HR information that may be copied into public or unmanaged GenAI tools.

The June data highlights three main signals:

  • High-risk prompts are common: 1 in every 26 GenAI prompts from enterprise networks carried a high risk of sensitive data leakage, equal to a global exposure rate of 3.9%.
  • The risk is widespread: 85% of organizations that regularly use GenAI tools were affected by high-risk prompt activity.
  • Sensitive information is frequently present: A further 27% of prompts contained potentially sensitive information.
  • Adoption is broadening: Each organization used an average of 7 different GenAI tools over the past month, while the average user generated 78 prompts.

That level of activity suggests GenAI is no longer a side experiment in many workplaces. It is becoming part of daily workflows, often faster than data protection policies, user training, and technical controls can adapt.

The highest-risk regions and industries stood out clearly against the 3.9% global benchmark.Looking at where this risk lands, Latin America stood out as the highest risk region at 5.2%, well above the global rate. Europe matched the global average of 3.9%, while North America and APAC came in slightly under it, at 3.6% and 3.5%. By industry, Healthcare and Medical carried the heaviest exposure at 5.7%, followed by Telecommunications and Business Services, both at 5.1%, and Information Technology at 4.1%. 

Personal data made up the largest share of sensitive content flowing through these prompts, appearing in 80% of organizations, followed by network and infrastructure details at 62%, legal and regulatory material at 61%, financial data at 60%, and employee records at 57%. Taken together, these figures point to a workforce that treats GenAI tools as a general-purpose assistant, feeding them exactly the kind of material that governance policies are meant to protect. 

Data Category% of Organizations
PII80%
Network & IT Infrastructure62%
Legal & Regulatory61%
Financial Data60%
Employee & HR57%

This shows that GenAI exposure is not limited to one department or one type of task. It cuts across personal, technical, legal, financial, and workforce-related data, making prompt-level visibility and governance increasingly important as enterprise GenAI use continues to grow.

Ransomware Keeps Climbing, With Business Services in the Crosshairs

* This ransomware data draws from ransomware “shame sites” operated by double-extortion groups, which publicly disclose victim information. While these sources have inherent biases, they provide valuable insight into the ransomware landscape.

Ransomware attacks totaled 646 in June, a 33% increase over the same month in 2025. Business Services remained the most affected industry, responsible for 31% of reported victims, followed by Consumer Goods and Services at 16% and Industrial Manufacturing at 14%. Two trends stand out over the past three months. Consumer Goods and Services has climbed steadily, from 14% of victims in April to 15% in May and 16% in June, and Government has moved even faster, rising from 4.0% to 4.3% to 5.4% across the same stretch.

IndustryRansomware Victims
Business Services31%
Consumer Goods & Services16%
Industrial Manufacturing14%
Financial Services5.6%
Government5.4%
Healthcare & Medical4.8%
Information Technology3.7%
Education3.2%
Automotive3.1%
Transportation & Logistics2.9%

North America accounted for 44% of reported ransomware incidents, with APAC at 23% and Europe at 22%. APAC saw the sharpest shift of any region, its share of global victims rising from 16.8% in April to 22.6% in June, a jump of over a third in just two months.

A New Name at the Top of the Ransomware Leaderboard

The Gentlemen was the most prevalent ransomware group in the past month, responsible for 17% of the published attacks, overtaking Qilin, which accounted for 11%. LockBit also recorded a significant increase, rising from 1% of published attacks in the previous month to 7%, making it the third most prevalent ransomware group.

  • The Gentlemen: The Gentlemen is a fast growing Ransomware-as-a-Service operation founded in mid-2025 by a Russian-speaking operator (Hastalamuerte) who previously worked as an affiliate across Qilin, Embargo, LockBit, Medusa, and BlackLock before launching his own platform after a dispute with Qilin. The group openly recruits affiliates in various forums and uniquely functions as both a RaaS provider and an Initial Access Broker, offering affiliates self-service access to approximately 14,000 pre-exploited FortiGate devices (CVE-2024-55591). With over 320 DLS-claimed victims and an estimated 1,570+ actual compromises revealed through Check Point Research’s analysis, The Gentlemen has established itself as a top-7 global ransomware threat in under a year. The group’s cross-platform lockers target Windows, Linux, and ESXi (C-based), and their latest May 2026 operator communication announces a shift from blunt-force BYOVD-based EDR killing to surgical userland evasion techniques. The group’s geographic targeting is notably atypical, with the US representing only 12% of victims (vs 50% ecosystem average), reflecting a device-driven victim selection model shaped by the FortiGate stockpile rather than deliberate geographic preference.

Qilin: Qilin is one of the most established RaaS groups, with a consistent track record of victim disclosures dating back to 2022. Originally operating under the name “Agenda,” the group rebranded as “Qilin” by September 2022, introducing a Rust-based encryptor and expanding its RaaS infrastructure. It provides affiliates with a full-featured toolkit via a dedicated

  • administrative panel, including an encryptor, negotiation infrastructure, and support services. Following RansomHub’s retirement, Qilin intensified its affiliate recruitment efforts and, since March 2025, has significantly increased the volume of victim listings on its data leak site (DLS).
  • LockBit: LockBit is a ransomware-as-a-service (RaaS), that was first launched in September 2019 and was updated and improved in June 2021. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States. LockBit shares details of their victims on a Tor-hosted leak site along with the countdown to the date and time at which stolen data will be published unless the ransom payment is received. LockBbitis considered to be the fastest ransomware in terms of encryption speed.

Frequently Asked Questions About June 2026’s Cyber Threat Landscape

  • Why did cyber attacks increase across nearly every region in June? The growth was broad rather than concentrated in one place, which points to attackers expanding their targeting rather than focusing on a single weak point. Latin America and Europe saw the steepest year over year gains, while Africa was the only region to post a decline.
  • Which industries face the highest GenAI data leakage risk? Healthcare and Medical carried the highest risk at 5.7% of prompts, followed by Telecommunications and Business Services at 5.1% each, and Information Technology at 4.1%. All four sat above the global average of 3.9%.
  • Why did The Gentlemen overtake Qilin as the top ransomware group? The Gentlemen built rapid scale through self-service access to a large pool of pre-exploited devices and an aggressive affiliate recruitment model, letting it grow into a leading threat within about a year of launching. In June it accounted for 17% of published attacks against Qilin’s 11%.
  • Is ransomware activity still concentrated in North America? Yes, though less so than before. North America still accounts for 44% of reported victims, but APAC’s share grew sharply, from 16.8% in April to 22.6% in June, making it the fastest growing region for ransomware activity.
  • Reading June Correctly

The headline number tells a straightforward story: attacks are up, broadly and consistently, across regions that had shown mixed signals in prior months. The more useful story sits underneath it. Ransomware is not just growing, it is reorganizing at the leadership level, with a group that barely existed a year ago now setting the pace. GenAI risk has not spiked, but it has settled into a steady baseline that most organizations still have not built the right controls around. None of this points to a single fix. It points to the same conclusion every month like this one does, that a prevention first strategy across network, cloud, endpoint, and user activity is the only approach built to keep up with a landscape that keeps shifting shape.

Author