Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2024-09-25 → 2024-10-01 UTC

Choose a report date

Observed events

101

Public claims in the selected week

Data leak indicators

63.4% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

PLAY generated the highest visible claim volume this week, representing 11.9% of observed events.

•

63.4% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 8 observed events.

•

6 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

1 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2024-10-01 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

PLAY

12 events · 11 leak indicators

RansomHub

10 events · 9 leak indicators

MEOW

9 events · 0 leak indicators

Nitrogen

9 events · 9 leak indicators

Akira

7 events · 1 leak indicator

Kill Security

7 events · 0 leak indicators

Medusa

7 events · 7 leak indicators

3AM

5 events · 5 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Nitrogen 9 events
BlackByte 1 event
Blackout 1 event
CiphBit 1 event
Embargo 1 event
Pryx 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States44

PLAY8 events · 7 leak indicators
Nitrogen7 events · 7 leak indicators
Akira4 events · 0 leak indicators
MEOW4 events · 0 leak indicators
Qilin3 events · 2 leak indicators
Cactus2 events · 2 leak indicators
Data Leak2 events · 0 leak indicators
INC Ransom2 events · 2 leak indicators

Canada8

Akira2 events · 1 leak indicator
Nitrogen2 events · 2 leak indicators
Data Leak1 event · 1 leak indicator
Medusa1 event · 1 leak indicator
MEOW1 event · 0 leak indicators
RansomHub1 event · 1 leak indicator

United Kingdom8

3AM2 events · 2 leak indicators
Cactus2 events · 2 leak indicators
Medusa1 event · 1 leak indicator
MEOW1 event · 0 leak indicators
PLAY1 event · 1 leak indicator
Stormous1 event · 1 leak indicator

Brazil5

RansomHub2 events · 2 leak indicators
BlackByte1 event · 0 leak indicators
Kill Security1 event · 0 leak indicators
Mad Liberator1 event · 0 leak indicators

India4

Kill Security4 events · 0 leak indicators

Germany3

Akira1 event · 0 leak indicators
Cactus1 event · 1 leak indicator
PLAY1 event · 1 leak indicator

Japan3

RansomHub2 events · 2 leak indicators
Medusa1 event · 1 leak indicator

Belgium2

Blacksuit1 event · 0 leak indicators
MEOW1 event · 0 leak indicators

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction8

Cactus2 events · 2 leak indicators
CiphBit1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
MEOW1 event · 0 leak indicators
PLAY1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
RansomHub1 event · 1 leak indicator

Hospitals and Health Care6

Kill Security2 events · 0 leak indicators
3AM1 event · 1 leak indicator
Embargo1 event · 1 leak indicator
MEOW1 event · 0 leak indicators
RansomHub1 event · 1 leak indicator

Industrial Machinery Manufacturing5

RansomHub2 events · 2 leak indicators
Cactus1 event · 1 leak indicator
Medusa1 event · 1 leak indicator
Nitrogen1 event · 1 leak indicator

Retail5

Blacksuit1 event · 0 leak indicators
Kill Security1 event · 0 leak indicators
MEOW1 event · 0 leak indicators
Nitrogen1 event · 1 leak indicator
PLAY1 event · 1 leak indicator

Government Administration4

Kill Security2 events · 0 leak indicators
Data Leak1 event · 0 leak indicators
MEOW1 event · 0 leak indicators

IT Services and IT Consulting4

PLAY2 events · 2 leak indicators
INC Ransom1 event · 0 leak indicators
Nitrogen1 event · 1 leak indicator

Machinery Manufacturing4

PLAY2 events · 1 leak indicator
MEOW1 event · 0 leak indicators
Nitrogen1 event · 1 leak indicator

Chemical Manufacturing3

Abyss1 event · 1 leak indicator
Akira1 event · 0 leak indicators
Cactus1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 37
11-50 employees 18
201-500 employees 17
2-10 employees 9
1,001-5,000 employees 4
501-1,000 employees 4

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Qilin	Farming	United States	Data leak	2024-10-01
Stormous	Investment Banking	United Kingdom	Data leak	2024-10-01
Nitrogen	Civil Engineering	United States	Data leak	2024-10-01
Nitrogen	Industrial Machinery Manufacturing	Canada	Data leak	2024-10-01
Akira	Maritime	United States	Claim only	2024-10-01
Akira	Chemical Manufacturing	United States	Claim only	2024-10-01
Akira	Civil Engineering	United States	Claim only	2024-10-01
Data Leak	Government Administration	United States	Claim only	2024-10-01
Medusa	Industrial Machinery Manufacturing	United States	Data leak	2024-10-01
Mad Liberator	Retail Apparel and Fashion	Brazil	Claim only	2024-10-01
MEOW	Government Administration	Colombia	Claim only	2024-10-01
Qilin	Health, Wellness and Fitness	United States	Data leak	2024-10-01

News and research context

Recent articles from the same time window.

Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate - National Crime Agency 2024-10-01

Sixteen individuals who were part of Evil Corp, once believed to be the most significant cybercrime threat in the world, have been sanctioned in the UK, with their links to the Ru…

Treasury Sanctions Members of the Russia-Based Cybercriminal Group Evil Corp in Tri-Lateral Action with the United Kingdom and Australia | U.S. Department of the Treasury 2024-10-01

Related actor: LockBit 3.0

WASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating seven individuals and two entities associated with the Russia-based cyb…

LockBit power cut: four new arrests and financial sanctions against affiliates | Europol 2024-10-01

Related actor: LockBit 3.0

LockBit full infrastructure in the crosshairs of law enforcementThese are some of the results of the third phase of Operation Cronos, a long-running collective effort of law enfor…

More frequent disruption operations needed to dent ransomware gangs, officials say | CyberScoop 2024-09-30

With ransomware gangs proving capable of quickly reconstituting after government takedown operations, an international alliance wants to ramp up those offensive measures even more…

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware - The DFIR Report 2024-09-30

Related actor: AlphVM

In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deplo…

IT intrusion this past Thursday at Aurdel 2024-09-30

Because of an IT intrusion this past Thursday, delivery of orders will be delayed. To minimize the effects of this attack, parts of the IT system have had to be shut down. It is s…

Santee doles out $600k to ransomware consultant after ‘cyber security’ incident 2024-09-27

SANTEE, Calif. (FOX 5/KUSI) — Santee paid a ransomware consulting firm over $600,000 to help the city address a “cyber security” incident that impacted its computer servers in lat…

Richardson Responding To Cyber Security Incident 2024-09-27

At 6:22 a.m. on Wednesday, September 25, 2024, an external party temporarily gained access to the City’s servers and attempted to encrypt data files within the network. Automated…

Lubbock UMC experiences ransomware attack, diverts patients to other hospitals 2024-09-27

Related actor: INTERLOCK

LUBBOCK, Texas — University Medical Center said ransomware was the cause of the technology issues the facility faced on Thursday. The hospital said it diverted both emergency and…

Storm-0501: Ransomware attacks expanding to hybrid cloud environments | Microsoft Security Blog 2024-09-26

Related actor: Embargo

Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.