Ransomware Trends & Data Insights: August 2025

Akira again dominated ransomware activity in August, and Qilin remained the second-most active group for the second month. Throughout August, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:

• Akira had the highest share of ransomware attacks observed by Arete in a single month since the group emerged in April 2023. The group was responsible for almost half of the ransomware and extortion attacks in August. Qilin also remained active in August, albeit not to the degree that Akira was. Combined, these two ransomware groups were responsible for over 64% of the activity for the entire month.
• The recent surge in Akira attacks was originally thought to be attributed to a suspected zero-day in Gen 7 SonicWall firewalls with SSLVPN enabled. However, SonicWall released an update stating that the attacks were not related to any new zero-day vulnerability, but instead are correlated with CVE-2024-40766, an older SonicWall VPN access control flaw first detected in August 2024 and previously exploited by Akira in late 2024 and early 2025.
• Arete is aware of two ongoing supply chain attacks involving data exfiltration. The first involves threat actors using stolen OAuth credentials from the Salesloft SalesDrift platform to exfiltrate data from Salesforce instances. Additionally, in late August, threat actors published malicious versions of Nx—an open-source build system that provides tools and techniques for software developers—to the npm registry. This second supply chain attack potentially exposes sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, and SSH keys.
• In August, the US Treasury Department also announced sanctions against the Grinex crypto exchange, the spiritual successor to Garantex. Following law enforcement action against Garantex in March 2025, Grinex was created by Garantex employees to enable sanctions evasion efforts. Subsequently, Grinex became a hot spot for illicitly obtained funds from ransomware, extortion, and other fraudulent activities.

 
In addition to the high number of Akira attacks, the number of unique ransomware variants was also slightly higher than in July, with 17 unique identified ransomware and extortion groups observed in August: