Arete, a pioneering leader in intelligence-led ransomware and extortion response and cyber risk management, released its 2025 Annual Crimeware Report, highlighting key threat groups, attack vectors, and trends in ransom demands and payments. Arete’s global teams collect and analyze hundreds of data points across thousands of engagements to provide actionable intelligence to insurance carriers, brokers, law firms, financial institutions, and insured organizations. 

Key findings within the report:  

• Akira had unusually high activity levels, particularly in the second half of the year, largely driven by its widespread exploitation of vulnerable SonicWall appliances. 

• Social engineering techniques evolved throughout the year, with multiple threat groups using email bombing and Microsoft Teams-based social engineering tactics to gain initial access.   

• ClickFix, a tactic that leverages fake error dialog boxes to trick users into manually executing malicious PowerShell commands, emerged in 2025 and evolved throughout the year in multiple campaigns. 

• Trends in ransom demands and payments remained largely consistent with previous years, although there were a few deviations due to the high number of Akira attacks in the second half of the year. 

"Data from throughout 2025 highlighted the continuing evolution of the cyber threat landscape,” said Chris Martenson, Arete’s Chief Data Officer. “As artificial intelligence, social engineering, and threat actor operations become increasingly sophisticated, organizations must take an agile, data-driven approach to cyber resilience," Martenson added. 

Arete is committed to helping our partners and clients stay ahead of evolving cyber threats with standardized, intelligence-led detection, response, resolution, and resilience capabilities.  

Download Arete’s 2025 Annual Crimeware Report.