
Throughout April, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:
- Play and Qilin were the most active ransomware groups observed by Arete in April, with Akira rounding out the top three most active threat groups. More notable was the number of new or emerging threat actors active during the month, including AiLock, Anubis, Brain Cypher, Cortex, and World Leaks.
- RansomHub’s infrastructure, including its Tor victim chats and data leak site (DLS), was down throughout April with no confirmed cause or indication of when/if the group will come back online. Although a separate threat group, DragonForce, claimed that RansomHub would be moving to their infrastructure, there has been no credible indication of the two groups merging. Given DragonForce’s lack of historical sophistication compared to other threat groups, Arete assesses that DragonForce is unlikely to function as a service provider to other threat actors without the help of more experienced outside threat actors.
- In April, Arete observed incidents from the new World Leaks extortion group. In late 2024, Hunters International announced the end of its ransomware operation, citing increased risk and declining profitability due to government actions and global geopolitical pressures. In its place, they would be shifting to extortion-only attacks and launching a new project called World Leaks, in which affiliates would be equipped with a custom-built exfiltration tool to automate data theft from victim networks. Despite the activity from this new World Leaks group, Arete continues to observe activity from Hunter’s International, and the group has not yet shut down its operations. However, in recent engagements, the group has not encrypted victim data and has instead focused on data exfiltration.
- During April, threat actors actively exploited a critical vulnerability in the managed file transfer solution CrushFTP (CVE-2025-31161). The flaw is relatively simple to exploit, and public exploit code is readily available, increasing risk for organizations that use the platform. While this has not yet led to widespread extortion events, evidence of the exploit could result in future incidents related to the vulnerability.
Below are the 15 distinct ransomware variants encountered during April, based on the percentage of total ransomware and extortion engagements throughout the month:
