Akira dominated ransomware and extortion activity in July, with Qilin remaining active, albeit not at the levels observed in June. Throughout July, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:
- Akira was the most active threat group in July, responsible for almost 30% of all ransomware and extortion activity, followed by Qilin, the most active threat group in June, which accounted for nearly 12% of all incidents in July. Arete also observed several engagements in July with a new threat actor calling themselves the Sinobi Group. The Sinobi Group demonstrates multiple similarities with the Lynx ransomware group, including overlapping code and infrastructure, and a Tor chat and data leak site that is almost a carbon copy of Lynx’s. However, as Lynx continues to operate under its original name, it remains unclear whether Sinobi is a rebrand or a subgroup spawned from a sale or sharing of the Lynx encryptor or infrastructure.
- In July, multiple threat groups exploited critical zero-day vulnerabilities in Microsoft’s SharePoint. The vulnerabilities impact on-premises SharePoint Server products and allow for remote code execution. Microsoft addressed the vulnerabilities in security updates, which can be found here. If affected organizations have not yet done so, it is critical for them to immediately install the security updates.
- In July, the Interlock ransomware group was observed deploying a new remote access trojan (RAT) via a variation of the ClickFix technique called “FileFix.” ClickFix attacks use deceptive CAPTCHA challenges to trick users into executing malicious PowerShell scripts and gain unauthorized access to victim networks. FileFix operates similarly, but uses Windows tools like File Explorer to trick users into executing malicious PowerShell scripts. Once deployed, the new RAT performs various functions, including collecting information on the victim’s system, determining privileges, setting up C2 channels, and deploying additional malware.
Sources
- Arete Internal
Related Resources
![]()
Multiple Threat Groups Using New EDRKillShifter Builds
Multiple ransomware groups now use updated EDRKillShifter builds to disable EDR protections via BYOVD and HeartCrypt, targeting major security platforms.
Read more![]()
Client Story: The Importance of External Penetration Testing
Brandon shares how Arete’s cybersecurity penetration testing helped protect his global team from threats, giving him peace of mind and expert support.
Read more![]()
Akira Targeting SonicWall Devices (Again)
A recent wave of Akira ransomware attacks has targeted SonicWall firewall devices, exploiting a previously identified flaw.
Read more
