
As was the case in August, Akira and Qilin once again emerged as the top two ransomware groups in September. Throughout the month, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:
- Arete observed Akira and multiple other threat actors continuing to compromise SonicWall devices. Akira, in particular, dominated the threat landscape throughout the month and was responsible for almost 40% of ransomware and extortion activity observed by Arete. Although SonicWall maintains that this campaign targets an older known vulnerability (CVE-2024-40766), the company announced another security incident involving their firewall’s cloud backup files in mid-September, which could lead to future attacks.
- There was a notable increase in activity from extortion-only groups. Two relatively new extortion groups, World Leaks and the Pure Extraction And Ransom (PEAR) Team, were among the top five threat groups in September and were collectively responsible for over 10% of activity for the month. Notably, the PEAR Team has claimed exfiltration of several TB of data in each engagement, which is significantly more than the standard.
In addition to the continued surge of Akira attacks, the number of unique ransomware variants increased compared to July and August, with 19 unique identified ransomware and extortion groups observed in September:
