Ransomware Trends & Data Insights: October 2025

Akira and Qilin were overwhelmingly the top two ransomware groups observed by Arete in October. Additionally, throughout the month, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:

• In October, the Cl0p threat group exploited a zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882) and posted victims to its data leak site (DLS). Although the total number of victims impacted remains unknown, this campaign follows Cl0p’s annual pattern of exploiting a high-impact vulnerability to access data from multiple victims.
• Also in October, the Scattered Lapsus$ Hunters threat group exposed a separate Oracle E-Business Suite Server-Side Request Forgery vulnerability (CVE-2025-61884) on a Telegram channel. Oracle has released security updates that patch both vulnerabilities, so organizations using Oracle E-Business Suite should immediately patch their software if they have not yet done so.
• The threat actor Scattered Lapsus$ Hunters is allegedly a partnership between Scattered Spider, Lapsus$, and Shinyhunters groups. The group claimed responsibility for the Salesloft breaches and created a new data leak site (DLS) where they began adding organizations starting on October 3, 2025. These breaches were enabled by a compromise of Salesloft Drift integrations, which allowed exfiltration of data from Salesforce instances. Salesforce has publicly stated that they will not pay a ransom to the threat actors.

In addition to the continued surge of Akira attacks, the number of unique ransomware variants slightly decreased from September, with only 12 unique groups observed throughout October.