16 % more Cyber Attacks in Germany in January

Check Point Research (CPR), the security research division of Check Point Software Technologies, provider of cyber security solutions, has published its Monthly Cyber Threat Report for January 2026. According to the report, companies worldwide experienced an average of 2090 cyber attacks per week in January 2026. This represents an increase of three percent compared to December 2025 and 17 percent compared to the same period last year. The trends diverge in the DACH region. The number of attacks did increase in Germany and Austria: German companies experienced an average of 1314 attacks, an increase of 16 percent. In Austria, the figures also rose by 14% to 1676. In Switzerland, however, the number of attacks fell by 11% to 1093 compared to January 2025.

Cyber attacks by region and sector (global)

The education sector continued to be the most attacked industry in January with an average of 4364 attacks per organization per week, an increase of 12% compared to the previous year. The large attack surface, the high number of users and the strong dependence on often outdated infrastructures continue to make this sector an attractive target for threat actors.

The government sector followed in second place with 2759 weekly attacks, an increase of eight percent compared to the previous year, and retained its position from the previous month. The state apparatus is one of the most frequently attacked areas due to the management of critical infrastructures and the large amount of sensitive information and correspondingly valuable data.

One notable shift was the rapid rise in attacks on telecommunications companies, which moved up to third place with an average of 2647 attacks per week (up eight percent). This sector replaced associations and non-profit organizations, which were still in third place in December. This development reflects the increasing focus on the important infrastructure of telecommunications. Attackers are increasingly exploiting the reliance on connectivity, 5G expansion and supply chain risks.

Average global number of weekly cyber attacks by sector in January 2026 compared to January 2025 © Check Point

Last month, Europe (up 18%) and North America (up 19%) also saw an increase in cyber attacks with 1755 and 1465 respectively. However, these figures are still relatively low compared to other regions. Latin America recorded the strongest year-on-year growth of all regions worldwide, with 3110 and an increase of 33% compared to December 2025. This was followed by the APAC region with 3087 attacks (up seven percent) and Africa with 2864, making Africa the only region to record a decline of six percent.

GenAI use opens up data leaks

The use of artificial intelligence (GenAI) in companies has continued to accelerate, which significantly increases the risk of data loss. CPR identified the following dangerous trends in January:

• One in 30 GenAI prompts showed an increased risk of sensitive data being leaked. This data leakage risk affected 93 percent of companies that regularly use GenAI tools.
• 16 percent of all prompts contained potentially sensitive information.
• Companies used an average of ten different GenAI tools, indicating fragmented and inconsistent usage patterns.
• The average enterprise user generated 76 GenAI prompts per month, reflecting deep operational integration of AI-driven workflows.

This continued opacity in GenAI usage underscores the need for solid governance, better visibility of AI tools and strict controls on data processing. Without such safeguards, companies are increasingly exposed to the risk of leaked credentials, disclosed source code, incorrect sharing of internal documents and inadvertent supply chain vulnerabilities.

Ransomware situation report by region, country and sector

Ransomware activity continued to increase by ten percent in January 2026 with 678 publicly reported attacks. Despite monthly fluctuations, ransomware remains one of the most persistent and destructive threats worldwide. Robust RaaS ecosystems and extortion models increasingly geared towards data theft are further fueling the threat.

North America accounted for 52% of ransomware victims, followed by Europe with 24%. This shows that the attackers continue to focus on high-revenue markets with an extensive digital infrastructure. Broken down by country, the USA (48%) remained the most affected country. Other heavily affected countries were the UK (five percent), Canada (four percent), Germany (four percent) and Italy (three percent). [These findings come from so-called ransomware shame sites, which are used by ransomware groups to publicly list their victims. While this data is selective by nature, it provides valuable insight into the scale, prevalence and evolving tactics of the ransomware ecosystem].

Industries that rely heavily on continuous operations remained the main targets of ransomware. Business services accounted for 33 percent of all ransomware victims, followed by consumer goods and services (15 percent) and industrial manufacturing (11 percent). This makes it clear that attackers are focusing on sectors where downtime leads directly to financial losses and reputational damage.

The most active ransomware groups in January 2026

Qilin was responsible for the most ransomware incidents, accounting for 15 percent of reported attacks, and expanded the exposure of victims through its Rust-based ecosystem. LockBit (12 percent) continued its large-scale campaigns with double extortion. Akira's activities also continued (9 percent). The group targets Windows, Linux and ESXi systems, with a particular focus on business services and industrial manufacturing.

Prevention is key

"We continue to see increasing numbers of attacks - both nationally and internationally," says Thomas Boele, Regional Director Sales Engineering CER/DACH. "GenAI acts as an accelerator: attackers automate faster, scale more efficiently and exploit vulnerabilities earlier. Detection alone is no longer enough. Prevention is crucial - supported by real-time intelligence and integrated protection across cloud, network, endpoints and identities."

The insights come from Check Point's ThreatCloud AI platform, which analyzes millions of indicators of compromise (IoCs) every day. ThreatCloud is powered by over 50 AI-driven engines and fed with information from more than 150,000 networks and millions of endpoints.