Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2024-09-04 → 2024-09-10 UTC

Choose a report date

Observed events

Public claims in the selected week

Data leak indicators

74.7% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

RansomHub generated the highest visible claim volume this week, representing 24.1% of observed events.

•

74.7% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 6 observed events.

•

1 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

2 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2024-09-10 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

RansomHub

21 events · 19 leak indicators

PLAY

12 events · 12 leak indicators

Qilin

7 events · 6 leak indicators

BianLian

6 events · 4 leak indicators

Kill Security

6 events · 0 leak indicators

Akira

5 events · 2 leak indicators

Hunters International

4 events · 4 leak indicators

Medusa

4 events · 4 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

CL0P 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States45

PLAY11 events · 11 leak indicators
RansomHub7 events · 6 leak indicators
Qilin6 events · 6 leak indicators
BianLian5 events · 3 leak indicators
Akira3 events · 1 leak indicator
DragonForce3 events · 3 leak indicators
Blacksuit2 events · 2 leak indicators
Hunters International2 events · 2 leak indicators

Belgium6

Kill Security5 events · 0 leak indicators
Medusa1 event · 1 leak indicator

Canada5

BianLian1 event · 1 leak indicator
Cactus1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
RansomHub1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator

United Kingdom5

RansomHub2 events · 2 leak indicators
MEOW1 event · 0 leak indicators
Qilin1 event · 0 leak indicators
Rhysida1 event · 1 leak indicator

Italy3

Mad Liberator1 event · 0 leak indicators
MEOW1 event · 0 leak indicators
RansomHub1 event · 1 leak indicator

Spain3

Lynx1 event · 1 leak indicator
Medusa1 event · 1 leak indicator
RansomHub1 event · 1 leak indicator

Australia2

MEOW1 event · 0 leak indicators
RansomHub1 event · 1 leak indicator

Brazil2

Akira1 event · 1 leak indicator
LockBit 3.01 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction6

PLAY2 events · 2 leak indicators
RansomHub2 events · 2 leak indicators
Hunters International1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Hospitals and Health Care5

RansomHub3 events · 3 leak indicators
LockBit 3.01 event · 1 leak indicator
Medusa1 event · 1 leak indicator

Insurance4

Kill Security4 events · 0 leak indicators

Machinery Manufacturing4

PLAY2 events · 2 leak indicators
INC Ransom1 event · 1 leak indicator
Mad Liberator1 event · 0 leak indicators

Wholesale4

PLAY2 events · 2 leak indicators
MEOW1 event · 0 leak indicators
RansomHub1 event · 1 leak indicator

Accounting3

BianLian1 event · 0 leak indicators
Qilin1 event · 1 leak indicator
RansomHub1 event · 1 leak indicator

Facilities Services3

DragonForce1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
RansomHub1 event · 1 leak indicator

Food and Beverage Services3

PLAY2 events · 2 leak indicators
MEOW1 event · 0 leak indicators

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 26
11-50 employees 17
201-500 employees 13
1,001-5,000 employees 8
2-10 employees 6
5,001-10,000 employees 4

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
RansomHub	Chemical Manufacturing	India	Data leak	2024-09-10
PLAY	Wholesale	United States	Data leak	2024-09-10
PLAY	Food and Beverage Services	United States	Data leak	2024-09-10
PLAY	Construction	United States	Data leak	2024-09-10
PLAY	Golf Courses and Country Clubs	United States	Data leak	2024-09-10
PLAY	Machinery Manufacturing	United States	Data leak	2024-09-10
PLAY	Wholesale	United States	Data leak	2024-09-10
PLAY	Machinery Manufacturing	Canada	Data leak	2024-09-10
PLAY	Transportation, Logistics, Supply Chain and Storage	United States	Data leak	2024-09-10
Kill Security	Financial Services	India	Claim only	2024-09-10
Akira	Motor Vehicle Manufacturing	United States	Claim only	2024-09-10
MEOW	Wholesale	Australia	Claim only	2024-09-10

News and research context

Recent articles from the same time window.

Le Groupe Bayard a été victime d’une cyberattaque (PDF) 2024-09-10

Related actor: 8BASE

Le 8 septembre 2024, nous avons été victime d’une cyberattaque de type rançongiciel, affectant une partie de nos systèmes informatiques et donc nos activités, impactant la publica…

SonicWall SSLVPN access control flaw is now exploited in attacks 2024-09-09

Related actor: Akira

SonicWall is warning that a recently fixed access control flaw tracked as CVE-2024-40766 in SonicOS is now "potentially" exploited in attacks, urging admins to apply patches as so…

From Ransomware to Ransom War: The Evolution of a Solitary Experiment into Organized Crime – Center for Security Studies | ETH Zurich 2024-09-09

This report discusses significant milestones in the development of ransomware, and what turned them into a significant threat to human and national security. Historically, disc…

Major Iranian IT vendor paying large ransom to resolve recent cyberattack | CyberScoop 2024-09-09

The company, Tosan, which provides IT services to 45% of the country’s banks, has paid $561,000 worth of bitcoin so far. An Iranian IT vendor that works with many of the natio…

All Schools Closed Monday, September 9 2024-09-09

All schools are closed on Monday, September 9. All school activities, athletics and meetings are canceled, including the vaccine clinic. Central office is open. We have detect…

Charles Darwin School Bromley closes due to cyber attack | News Shopper 2024-09-07

Related actor: Blacksuit

A Biggin Hill school has closed its doors as it tackles a major cyber-attack. Charles Darwin School, based in Jail Lane, had been experiencing IT issues but has now found the p…

Tewkesbury Borough Council cyber attack sparks disruption 2024-09-05

A council has warned residents that many of its services are unavailable after a cyber attack. On Wednesday afternoon, Tewkesbury Borough Council took "necessary cyber response s…

North Miami mayor discusses ransomware attack that crippled city: ‘We need to be more vigilant’ 2024-09-05

NORTH MIAMI, Fla. – The city of North Miami has been the subject of a ransomware attack. North Miami Mayor Alix Desulme spoke exclusively to Local 10 News about it on Wednesday…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.