Global Cyber Attacks Increase in November 2025 Driven by Ransomware Surge and GenAI Risks - Check Point Blog

SHARE In November 2025, global cyber activity continued its upward trend, with organizations experiencing an average of 2,003 cyber-attacks per week. This represents a 3% increase from October, and a 4% rise compared to November 2024. Check Point Research data shows that this steady escalation reflects a threat landscape shaped by intensified ransomware activity, expanded attack surfaces, and the growing exposure risks associated with generative AI tools inside organizations. Industry Insights: Education Under Sustained Pressure The education sector remained the most targeted industry worldwide, facing an average of 4,656 attacks per organization per week—a 7% year-over-year increase. Next in line were government entities, which experienced 2,716 weekly attacks (+2% YoY), closely followed by associations and non-profit organizations with 2,550 attacks per week, marking a striking 57% YoY surge. This sharp rise against associations and non-profits underscores how threat actors are increasingly exploiting sectors with limited security resources but highly valuable data and public-facing digital services. Regional Breakdown: Latin America Leads Global Spike Latin America recorded the highest number of attacks per organization in November, with an average of 3,048 weekly attacks, marking a 17% YoY increase, the largest rise globally. APAC followed with 2,978 attacks (–0.1% YoY), maintained the level of attacks, while Africa registered 2,696 attacks (–13% YoY). Europe saw a slight dip (–1% YoY), whereas North America experienced a 9% YoY increase, reinforcing its position as a major target for sophisticated and financially motivated threat groups. Over the past year, we have seen a trend of convergence in the amount of attacks in the different regions of the world, with the gap between the bottom and top attacked regions narrowing from almost triple to only twice as high. While in a specific month we may see one region shift upwards or downwards – we can see all are heavily impacted and shifting closer towards the global average. Region Weekly Attacks per Organization YoY Change Latin America 3048 +17% APAC 2978 -0.1% Africa 2696 -13% Europe 1638 -1% North America 1449 +9% GenAI Security Risks Intensify Globally The widespread enterprise adoption of generative AI tools continues to introduce significant data-exposure risks. In November 2025, Check Point observed that 1 in every 35 GenAI prompts carried a high risk of sensitive data leakage, impacting 87% of organizations that use GenAI regularly and underscoring how deeply AI has become embedded in daily workflows. An additional 22% of prompts contained potentially sensitive information such as internal communications, enterprises data, proprietary code, or personal identifiers. While some usage occurs through managed tools, organizations still average 11 different GenAI tools per month, most of which are likely unsupervised and operating outside formal security governance. Such misuse increases the likelihood of accidental data exposure, leading organizations to higher risk of malicious infiltration, ransomware and AI-powered cyber attacks. These findings underscore how AI-driven workflows, if not properly governed, create an expanding attack surface—where inadvertent data sharing can pave the way for credential exposure, intellectual-property loss, and social-engineering exploitation. Ransomware Trends: 22% YoY Increase in Global Attacks Ransomware activity intensified notably in November 2025, with 727 reported attacks, marking a 22% increase compared to the same period last year and underscoring the persistence of double-extortion operations worldwide. North America remained the epicenter of ransomware activity, accounting for 55% of all disclosed incidents, followed by Europe with 18%, reflecting continued pressure on Western critical infrastructure and service-driven industries. At the national level, the United States dominated the victim landscape with 52% of global cases, while the United Kingdom and Canada followed distantly at 4% and 3%, respectively. * These insights are derived from ransomware “shame sites” used by double-extortion groups to publicly list their victims. While inherently selective, these disclosures offer a valuable window into the scale, distribution, and evolving tactics of today’s ransomware ecosystem. Country Ransomware Victims United States 52% United Kingdom 4% Canada 3% Mexico 3% Germany 2% India 2% Italy 2% Spain 2% United Arab Emirates 2% Japan 2% Most Targeted Industries From an industry perspective, industrial manufacturing emerged as the hardest-hit sector, representing 12% of all reported victims, as attackers continue exploiting operational dependencies and legacy systems. The Business Services sector followed closely at 11%, with consumer goods & services at 10%, signaling a sustained focus on industries with high data value and low tolerance for operational downtime. Industry Ransomware Victims Industrial Manufacturing 12% Business Services 11% Consumer Goods & Services 10% Construction & Engineering 9% Healthcare & Medical 8% Government 6% Education 5% Information Technology 4% Energy & Utilities 4% Financial Services 3% November’s Most Active Ransomware Groups The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups which posted victim information.  Qilin and Clop are the most prevalent ransomware groups this month, responsible for 15% of the published attacks, followed by Akira with 12%. Qilin – Qilin is one of the most established RaaS groups, with a consistent track record of victim disclosures dating back to 2022. Originally operating under the name “Agenda,” the group rebranded as “Qilin” by September 2022, introducing a Rust-based encryptor and expanding its RaaS infrastructure. It provides affiliates with a full-featured toolkit via a dedicated administrative panel, including an encryptor, negotiation infrastructure, and support services. Following RansomHub’s retirement, Qilin intensified its affiliate recruitment efforts and, since March 2025, has significantly increased the volume of victim listings on its data leak site (DLS). Clop – Clop is a ransomware group which had been relatively quiet for some time, has now begun publishing victims from a months-long campaign dating back to at least August 2025. This marks the final stage of a large-scale data-theft and extortion operation carried out by the Clop ransomware group, which exploited two Oracle E-Business Suite (EBS) zero-day vulnerabilities — including the pre-authentication RCE flaw CVE-2025-61882. The activity aligns with Clop’s established strategy of targeting high-value enterprise platforms to exfiltrate large datasets from numerous organizations across varied global sectors. Akira – Akira is a RaaS actor first reported in early 2023, with payloads targeting both Windows, Linux and ESXi systems. Its victimology in Q2 2025 shows a notable focus on business services (19%) and industrial manufacturing (18%). In early 2024, Akira introduced a Rust-based encryptor with specific features designed for ESXi servers. The new variant includes selective encryption, VM targeting, and runtime controls. It also implements a unique execution guard using Rust build-IDs to hinder sandboxing and reverse engineering. What November’s Data Tells Us November 2025 paints a clear and compelling picture: Both the volume of global cyber attacks and the successful ransomware attacks are on the rise, impacting a wide range of regions and sectors. At the same time, the rapid expansion of genAI tools inside organizations is creating new blind spots—places where sensitive data leaks, misconfigurations, and shadow AI usage open the door to exploitation. Ransomware groups, emboldened by these new opportunities and increasingly sophisticated infrastructures, are scaling their reach across regions, sectors, and critical services. For defenders, the message is unmistakable: the threat landscape is moving faster than ever. Staying ahead requires more than reactive tools—it demands prevention-first security, strong data-protection measures, and clear governance around AI usage. In an era where attackers innovate at speed, being proactive is no longer optional; it is the defining factor between resilience and disruption.