86% of Akira attacks occurred in environments where a SonicWall device was present.

Akira ransom demands averaged $1.2M, which is 50% higher than the non-Akira average.

Two-thirds of Akira attacks in 2025 occurred on nights or weekends.

Akira, a Ransomware-as-a-Service operation that has run since 2023, drove a 53% increase in ransomware frequency in the second half of 2025.

The Gentlemen ransomware group increased from 35 victims in Q4 2025 to 182 victims in Q1 2026.

Activity from the Qilin ransomware group declined by 25% and activity from the Akira ransomware group declined by 22%.

Akira accounted for more than 40% of all ransomware claims in At-Bay’s portfolio for the full year.

Qilin affiliates take home a significant portion of their ransom payments (up to 80 - 85%), higher than typical RaaS payout structures.

Ransomware-as-a-Service (RaaS) groups were responsible for over 87% of all ransomware attacks.

Fewer new RaaS programs (-17.9%), but overall activity continued to expand.

10% to 15% of revenue was offered as a split for the core operator within the RaaS ecosystem.

The Dragon RaaS emerged in 2024.