Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2024-10-16 → 2024-10-22 UTC
Choose a report date
Previous week Next week
Observed events
114
Public claims in the selected week
Data leak indicators
77
67.5% of observed events
Active actors
24
Distinct groups with observed activity
Torrent-linked events
0
Events intersecting with torrent intelligence

What changed this week?

RansomHub generated the highest visible claim volume this week, representing 31.6% of observed events.
67.5% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
Construction was the most represented sector in this window with 7 observed events.
2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

Coverage snapshot

As of 2024-10-22 UTC.
Leak sites observed this week
24
Leak sites online near report date
0
Threat actor profiles updated this week
1
Countries represented this week
24
Sectors represented this week
57

Top active actors

By observed claim volume
RansomHub
36 events · 34 leak indicators
Fog
10 events · 0 leak indicators
Kill Security
7 events · 0 leak indicators
Blacksuit
6 events · 4 leak indicators
Cicada3301
6 events · 6 leak indicators
Arcus Media
5 events · 0 leak indicators
BlackBasta
5 events · 5 leak indicators
Hunters International
5 events · 5 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days
  • Monti 1 event
  • Space Bears 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States56
  • RansomHub15 events · 14 leak indicators
  • Fog8 events · 0 leak indicators
  • BlackBasta4 events · 4 leak indicators
  • Blacksuit4 events · 2 leak indicators
  • PLAY4 events · 4 leak indicators
  • Qilin3 events · 3 leak indicators
  • Arcus Media2 events · 0 leak indicators
  • BianLian2 events · 1 leak indicator
India8
  • Kill Security5 events · 0 leak indicators
  • RansomHub3 events · 3 leak indicators
France6
  • RansomHub5 events · 5 leak indicators
  • Cactus1 event · 1 leak indicator
Italy5
  • Blacksuit1 event · 1 leak indicator
  • Medusa1 event · 1 leak indicator
  • Monti1 event · 0 leak indicators
  • RansomHub1 event · 1 leak indicator
  • Sarcoma1 event · 0 leak indicators
Canada4
  • Cicada33013 events · 3 leak indicators
  • PLAY1 event · 1 leak indicator
Spain4
  • Arcus Media1 event · 0 leak indicators
  • Blacksuit1 event · 1 leak indicator
  • Cicada33011 event · 1 leak indicator
  • Stormous1 event · 1 leak indicator
United Kingdom4
  • Cicada33011 event · 1 leak indicator
  • Hunters International1 event · 1 leak indicator
  • MEOW1 event · 0 leak indicators
  • Qilin1 event · 1 leak indicator
Germany3
  • BlackBasta1 event · 1 leak indicator
  • Fog1 event · 0 leak indicators
  • Stormous1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction7
  • RansomHub3 events · 3 leak indicators
  • PLAY2 events · 2 leak indicators
  • Medusa1 event · 1 leak indicator
  • MEOW1 event · 0 leak indicators
Hospitals and Health Care5
  • Kill Security2 events · 0 leak indicators
  • Blacksuit1 event · 1 leak indicator
  • RansomHub1 event · 1 leak indicator
  • Stormous1 event · 1 leak indicator
Software Development5
  • Kill Security2 events · 0 leak indicators
  • Cactus1 event · 1 leak indicator
  • Cicada33011 event · 1 leak indicator
  • Sarcoma1 event · 0 leak indicators
Education Administration Programs4
  • RansomHub3 events · 3 leak indicators
  • Blacksuit1 event · 0 leak indicators
Financial Services4
  • Blacksuit1 event · 1 leak indicator
  • Fog1 event · 0 leak indicators
  • Qilin1 event · 1 leak indicator
  • Stormous1 event · 1 leak indicator
Motor Vehicle Manufacturing4
  • Fog1 event · 0 leak indicators
  • Kill Security1 event · 0 leak indicators
  • LockBit 3.01 event · 1 leak indicator
  • RansomHub1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing3
  • BlackBasta1 event · 1 leak indicator
  • Hunters International1 event · 1 leak indicator
  • Sarcoma1 event · 1 leak indicator
Automation Machinery Manufacturing3
  • RansomHub2 events · 2 leak indicators
  • Cicada33011 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.
  • 51-200 employees 36
  • 11-50 employees 26
  • 201-500 employees 17
  • 1,001-5,000 employees 8
  • 2-10 employees 6
  • 10,001+ employees 2

Notable actor profile updates

Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.
Actor Sector Country Leak proof Seen
Hunters International Technology, Information and Internet United States Data leak 2024-10-22
Fog Higher Education United States Claim only 2024-10-22
Fog Telecommunications United States Claim only 2024-10-22
Blacksuit Airlines and Aviation Spain Data leak 2024-10-22
Space Bears Manufacturing United States Data leak 2024-10-22
RansomHub Environmental Services United States Data leak 2024-10-22
RansomHub Wholesale United States Data leak 2024-10-22
RansomHub Construction Belgium Data leak 2024-10-22
RansomHub Machinery Manufacturing United States Data leak 2024-10-22
RansomHub Automation Machinery Manufacturing United States Data leak 2024-10-22
RansomHub Advertising Services United States Data leak 2024-10-22
Medusa Accounting United States Data leak 2024-10-22

News and research context

Recent articles from the same time window.
Akira ransomware continues to evolve 2024-10-21
Related actor: Akira
Akira continues to cement its position as one of the most prevalent ransomware operations in the threat landscape, according to Cisco Talos’ findings and analysis. Their succes…
Angriff auf IT-Infrastruktur des BBZ Schaffhausen 2024-10-21
Das Berufsbildungszentrum des Kantons Schaffhausen (BBZ) wurde am 2. Oktober 2024 Opfer eines Cyberangriffes. IT-Fachpersonen der Schule sowie der kantonalen Verwaltung haben umge…
Globe Life - FORM 8-K | SEC.gov 2024-10-17
Globe Life Inc. (the “Company”) recently received communications from an unknown threat actor seeking to extort money from the Company in exchange for not disclosing certain infor…
Healthcare Services Group - FORM 8-K | SEC.gov 2024-10-17
On October 9, 2024, Healthcare Services Group, Inc. (the “Company”) identified a cybersecurity incident, which involved unauthorized activity within some of its systems. The Compa…

Notes

  • Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
  • Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
  • Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
  • The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

  • The page uses a fixed seven-day window based on the selected date.
  • Only public-facing actor and event records are included.
  • Counts and breakdowns are designed for trend review, not incident confirmation.