Arete’s Q3 2025 Crimeware Report
The report leverages data collected from Arete’s response to ransomware and extortion attacks, the report explores the threat landscape during the third quarter of 2025, including shifts in key threat groups, ransom demands and payments, and evolving attack methods.
Key Takeaways
- Arete observed an unprecedented surge in engagements attributed to Akira starting in mid-July. In August, the group was responsible for over half of all Arete engagements.
- Throughout 2025, both the median ransom demand and median payment have steadily increased each quarter. However, the percentage of time a ransom is paid has decreased.
- Vulnerability exploitation was the most common attack vector in Q3, particularly the widespread exploitation of vulnerable SonicWall devices. Threat actors also continued to evolve social engineering techniques, including SEO poisoning and malvertising campaigns.
Related Resources
![]()
Arete’s H1 2025 Crimeware Report
Arete's H1 2025 Crimeware Report reveals key ransomware threats, tactics, and trends impacting insurers, brokers, law firms, and insureds, based on real-world incident data.
Read more![]()
Arete’s Q1 2025 Crimeware Report
Arete’s Q1 2025 Crimeware Report reveals key cyber threat trends, top threat groups, ransom shifts, and common malware and access methods.
Read more![]()
2024 Annual Crimeware Report
Explore Arete’s 2024 Annual Crimeware Report for insights on ransomware trends, ransom demands, targeted industries, and threat lifecycle intelligence.
Read more
