As was the case in August, Akira and Qilin once again emerged as the top two ransomware groups in September. Throughout the month, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:
- Arete observed Akira and multiple other threat actors continuing to compromise SonicWall devices. Akira, in particular, dominated the threat landscape throughout the month and was responsible for almost 40% of ransomware and extortion activity observed by Arete. Although SonicWall maintains that this campaign targets an older known vulnerability (CVE-2024-40766), the company announced another security incident involving their firewall’s cloud backup files in mid-September, which could lead to future attacks.
- There was a notable increase in activity from extortion-only groups. Two relatively new extortion groups, World Leaks and the Pure Extraction And Ransom (PEAR) Team, were among the top five threat groups in September and were collectively responsible for over 10% of activity for the month. Notably, the PEAR Team has claimed exfiltration of several TB of data in each engagement, which is significantly more than the standard.
In addition to the continued surge of Akira attacks, the number of unique ransomware variants increased compared to July and August, with 19 unique identified ransomware and extortion groups observed in September:
Related Resources
![]()
SonicWall Discloses Another Breach
SonicWall cloud backup breach exposes encrypted files; users urged to follow remediation guidance to prevent further exploitation.
Read more![]()
Scattered Spider Claims to be Going Dark
The Scattered Spider cybercrime group announced it was going dark, but evidence suggests ongoing operations.
Read more![]()
Threat Actors Turn to Supply Chain Attacks to Push Malware
Discover how malicious npm packages are used in supply chain attacks targeting developers and crypto users, compromising credentials and systems.
Read more
