Ransomware Trends & Data Insights: November 2025

Akira and Qilin continued to dominate the threat landscape in November and were collectively responsible for almost half of Arete’s incident response engagements for the month. Additionally, the number of unique ransomware and extortion groups observed in November increased to 18, up from 12 in October. Several of these were newer threat groups that Arete had not observed prior to November, including the Warlock Group, Payouts King, RDAT Group, and FulcrumSec.

Throughout the month, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:

• The Warlock Group, one of the newer ransomware groups observed by Arete in November, appears to be exploiting CVE-2025-59287, a remote code execution vulnerability in Windows Server Update Services (WSUS), and then using Velociraptor—a DFIR tool designed for legitimate endpoint monitoring and incident response—to set up command-and-control (C2).

In early November, Google released a report claiming to have observed the first AI-augmented malware used in real-world attacks, which marks a significant advancement in the implementation of generative AI by cybercriminals. Separately, Anthropic released a report claiming that it had disrupted a large-scale espionage campaign leveraging its Claude and Claude Code AI products to automate a significant portion of the attack lifecycle. Although the report lacked indicators of compromise and actionable intelligence, Anthropic has been requested to provide testimony at a House Committee on Homeland Security subcommittee hearing on December 17th and answer questions related to the findings from their report. Arete has also observed threat actors leveraging AI tools like Copilot during Business Email Compromise (BEC) incidents to locate sensitive information faster.

Sources

Arete