Check Point Research reveals a strategic shift in cyber-attack tactics across Africa, with a growing focus on financial extortion through ransomware and AI-driven threats. While global attacks rose by 2% in May 2026, African organisations in Angola and Nigeria are facing double the global average of weekly intrusions. Experts warn that the adoption of generative AI is creating new data leakage risks, necessitating a prevention-first approach to security.
Notably, Ethiopia, Nigeria, Zimbabwe, Angola, and Mozambique are the most attacked countries on the continent. Angola and Nigeria attack levels are double the global average at 4 046 and 3 941 per organisation per week, respectively. These figures compare to Kenya and South Africa whose organisations faced 2443 and 1738 attacks per week, respectively.
While Africa recorded a year-on-year decline in overall attack activity, it remains among the most targeted regions globally. This is due to persistently high attack volumes, expanding ransomware activity, hacktivist campaigns, and increasingly sophisticated AI-enabled threats, all of which contribute to significant cyber risk for Africa organisations both public and private.
“May’s numbers show that attackers are continuously adapting, shifting their timing and techniques rather than slowing down. As ransomware scales and GenAI adoption accelerates across enterprises, organisations must assume constant exposure and prioritise prevention-first, AI-driven security strategies that can stop threats before impact,”said Omer Dembinsky, Data Research Manager at Check Point Research.
Africa in Focus: A Shift from Disruption to Monetisation
Ransomware remains one of the most significant cyber threats globally in May, with 698 publicly reported attacks, representing a 48% increase year on year — the sharpest annual increase recorded in 2026.
Importantly, for Africa, the composition of attacks has changed. Threat activity has shifted away from mass disruption, toward financially motivated operations, reinforcing a trend that security teams across the continent have observed throughout the past year.
“Ransomware groups continue to apply sustained pressure on African organisations. Business Services and Financial Services emerged among the most frequently targeted sectors in Africa, highlighting the increasing focus on organisations capable of paying extortion demands or possessing valuable data,” says Hendrik de Bruin, Head: Security Consulting: Africa at Check Point Software.
Government and Critical Infrastructure Face Concentrated Pressure
Globally, Government ranked as the second most targeted sector in May, experiencing an average of 2,620 weekly attacks per organisation, while Telecommunications ranked third with 2,583 weekly attacks.
In Africa, this pressure was particularly visible in attacks targeting government services and national infrastructure. Government and public-service portals, particularly in Egypt, experienced coordinated disruption campaigns linked to hacktivist-aligned actors seeking both political visibility and operational impact. In South Africa, several prominent Government institutions were reportedly breached, including the South African Revenue Service (SARS), SITA, and the City of Ekurhuleni.
Telecommunications providers were also targeted during the same campaign cycle, demonstrating how threat actors increasingly focus on interconnected public infrastructure. The concentration of attacks against government institutions, financial services, and telecommunications within a single geography underscores the continued attractiveness of high-visibility national infrastructure as a target.
Education Remains the Most Targeted Industry Worldwide
The Education sector once again ranked as the most attacked industry globally, facing an average of 4,641 weekly attacks per organisation, a 7% increase year on year.
Educational institutions continue to present attractive targets due to large user populations, open digital environments, and often constrained cyber security resources. Beyond Education, notable increases were also recorded across Agriculture, Hospitality, Travel and Recreation, and Construction and Engineering, demonstrating how digital transformation is expanding the cyber attack surface across a growing range of industries.
Perimeter Vulnerabilities Continue to Fuel Intrusions
The May findings also highlighted growing exploitation of perimeter vulnerabilities, including authentication bypass flaws affecting widely deployed VPN and firewall technologies. These vulnerabilities provide attackers with trusted access into enterprise environments and increasingly serve as entry points for ransomware operations. Once inside, threat actors can move laterally, steal credentials, and deploy ransomware or data theft operations with greater speed and efficiency.
“For many organisations across Africa that are still strengthening cyber resilience capabilities, unpatched perimeter systems remain one of the most significant sources of exposure,” de Bruin says
GenAI Adoption Creates New Exposure Risks
Check Point Research found that one in every 25 GenAI prompts submitted from enterprise environments posed a high risk of sensitive data leakage during May, affecting 91% of organisations actively using GenAI tools. An additional 22% of prompts contained potentially sensitive information. Organisations used an average of nine different GenAI applications during the month, while the typical enterprise user generated approximately 70 prompts.
Africa is experiencing the same exposure challenges. Threat actors are increasingly leveraging AI-assisted techniques to accelerate cyber attacks, enabling faster credential harvesting, more convincing phishing campaigns, improved social engineering, and quicker data exfiltration following compromise.
“While organisations continue to embrace generative AI technologies, the pace of adoption is increasingly outstripping governance and security controls.The result is a threat environment where AI is simultaneously driving productivity gains and expanding organisational risk,” de Bruin says.
May’s lower attack volumes should not be interpreted as a reduction in cyber risk. Instead, the data points to a threat landscape undergoing strategic reorganisation.
“For African organisations, the findings reinforce the need to prioritise proactive security strategies focused on prevention, vulnerability management, ransomware resilience, and governance around emerging AI technologies. The numbers may have been quieter in May, but the underlying risk environment remains firmly elevated,” de Bruin concludes.
