As was the case in August, Akira and Qilin once again emerged as the top two ransomware groups in September. Throughout the month, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:
- Arete observed Akira and multiple other threat actors continuing to compromise SonicWall devices. Akira, in particular, dominated the threat landscape throughout the month and was responsible for almost 40% of ransomware and extortion activity observed by Arete. Although SonicWall maintains that this campaign targets an older known vulnerability (CVE-2024-40766), the company announced another security incident involving their firewall’s cloud backup files in mid-September, which could lead to future attacks.
- There was a notable increase in activity from extortion-only groups. Two relatively new extortion groups, World Leaks and the Pure Extraction And Ransom (PEAR) Team, were among the top five threat groups in September and were collectively responsible for over 10% of activity for the month. Notably, the PEAR Team has claimed exfiltration of several TB of data in each engagement, which is significantly more than the standard.
In addition to the continued surge of Akira attacks, the number of unique ransomware variants increased compared to July and August, with 19 unique identified ransomware and extortion groups observed in September:
Related Resources
![]()
Managed File Transfer Exploits: Here to Stay?
Cybercriminals exploit MFT vulnerabilities in CentreStack and GoAnywhere, enabling remote code execution and access to sensitive data.
Read more![]()
Velociraptor DFIR Tool Used in Ransomware Attacks
Threat actors exploit outdated Velociraptor DFIR tool versions to deploy ransomware and gain full system control.
Read more![]()
Oracle Vulnerability Exploited by Cl0p
Cl0p Oracle EBS zero-day exploit leads to data theft via CVE-2025-61882. Oracle issues emergency patch to mitigate remote code execution risk.
Read more
