This one cyber crime group accounted for nearly a fifth of all ransomware attacks in June
The Gentlemen, a ransomware a service operator, now accounts for 17% of published attacks
Global cyber attacks rose over 10% in June, according to new research from Check Point, with one particular group accounting for a growing portion.
The uptick in attacks comes in the wake of what the cybersecurity firm described as a period of “relative calm” in May.
Attack volumes increase broadly across all regions and sectors at once, the company noted, suggesting attackers are expanding activities across a wider set of targets.
“June’s data shows a broad rebound in cyber activity, not a single isolated spike,” said Mark Mitchell, security engineer at Check Point Software.
“Attackers are widening their reach across regions and industries, while ransomware groups continue to reorganize and scale."
Notably, Check Point’s analysis highlighted increased activity by The Gentlemen, a new ransomware operator on the scene. The group overtook Qilin as the most active ransomware group globally, accounting for 17% of published attacks.
LockBit activity also increased, rising from 1% of published attacks in May to 7% in June, making it the third most prevalent group.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"The rise of The Gentlemen to the top of the ransomware leaderboard is a clear reminder that new operators can rapidly become major global threats," Mitchell warned.
As ITPro previously reported, The Gentlemen have quickly grown to become one of the most aggressive ransomware groups worldwide.
Observations of the group’s activities by NTT revealed it uses advanced tooling and proxy infrastructure to accelerate attacks, often operating stealthily within compromised networks before causing havoc.
NTT researchers said the group also shows a level of technical maturity that would typically be associated with more established cyber crime groups. This could suggest it consists of highly experienced threat actors with deep ties to other groups within the cyber crime ecosystem.
Key industries in the crosshairs
Education remained the most targeted sector globally, with organizations facing an average of 4,816 weekly attacks - 16% up on June 2025.
They're a comparatively easy target, said Check Point, thanks to open campus networks, constant device turnover, and constrained security resources.
Government was the second-most targeted sector, with 2,836 weekly attacks, up 5% year on year, while telecommunications ranked third with 2,835 weekly attacks, a 13% increase.
Latin America attacks ramp up
Attacks against organizations in Latin America are ramping up significantly, according to Check Point.
Organizations across the region are now contending with an average of 3,501 weekly attacks, a 27% rise since June 2025.
APAC followed at 3,060 weekly attacks, up 5%, while Africa was third with 3,008 attacks per week, although this was down 9% year on year.
Europe and North America also saw sharp increases, at 22% and 14% respectively.
AI is creating new risks
Generative AI continues to cause problems, with one in every 26 prompts submitted from enterprise networks carrying a high risk of sensitive data leakage, making for a global exposure rate of 3.9%.
High-risk prompt activity affected 85% of organizations that regularly use generative AI tools, while a further 27% of prompts contained potentially sensitive information.
This issue was most prevalent in Latin America, where 5.2% of prompts carried a high risk of sensitive data leakage, while Europe matched the global average at 3.9%.
In terms of broader AI-related risks, healthcare and medical carried the highest exposure at 5.7%, followed by telecommunications and business services at 5.1% each, and IT at 4.1%.
Personal data was accessed at 80% of affected organizations, with network and infrastructure details, legal and regulatory material, financial data, and employee records also widely exposed.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
NCSC issues warning over Russian intelligence-backed threat groupNews The advisory comes as the government cracks down on groups involved in “destructive cyber and hybrid operations”
-
Data centers gobbled up 23% of Ireland’s electricity supply in 2025News Figures from the Central Statistics Office come amidst rising concerns over the impact of data centers on Ireland's power grid
-
Working with the enemy: Ransomware negotiator-turned cyber criminal jailed after working with hackers to extort clientsNews Angelo Martino was supposed to be negotiating on behalf of victims, but was secretly working for ransomware operators
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation