Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2024-11-13 → 2024-11-19 UTC
Choose a report date
Previous week Next week
Observed events
179
Public claims in the selected week
Data leak indicators
125
69.8% of observed events
Active actors
33
Distinct groups with observed activity
Torrent-linked events
16
Events intersecting with torrent intelligence

What changed this week?

SAFEPAY generated the highest visible claim volume this week, representing 12.8% of observed events.
69.8% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
Construction was the most represented sector in this window with 17 observed events.
5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
16 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2024-11-19 UTC.
Leak sites observed this week
33
Leak sites online near report date
0
Threat actor profiles updated this week
3
Countries represented this week
35
Sectors represented this week
76

Top active actors

By observed claim volume
SAFEPAY
23 events · 23 leak indicators
RansomHub
21 events · 19 leak indicators
Akira
17 events · 16 leak indicators
BlackBasta
15 events · 14 leak indicators
Blacksuit
11 events · 0 leak indicators
MEOW
9 events · 0 leak indicators
PLAY
9 events · 7 leak indicators
Everest
8 events · 0 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days
  • SAFEPAY 23 events
  • Chort 6 events
  • CiphBit 1 event
  • Defray777 1 event
  • Money Message 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States104
  • Akira13 events · 12 leak indicators
  • RansomHub13 events · 12 leak indicators
  • BlackBasta12 events · 11 leak indicators
  • SAFEPAY9 events · 9 leak indicators
  • Blacksuit8 events · 0 leak indicators
  • MEOW8 events · 0 leak indicators
  • PLAY8 events · 7 leak indicators
  • Everest6 events · 0 leak indicators
Germany8
  • BlackBasta2 events · 2 leak indicators
  • RansomHub2 events · 2 leak indicators
  • Akira1 event · 1 leak indicator
  • Hunters International1 event · 1 leak indicator
  • RansomHouse1 event · 0 leak indicators
  • SAFEPAY1 event · 1 leak indicator
United Kingdom7
  • RansomHub2 events · 2 leak indicators
  • Blacksuit1 event · 0 leak indicators
  • Defray7771 event · 1 leak indicator
  • Hunters International1 event · 1 leak indicator
  • Medusa1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Italy6
  • DragonForce2 events · 2 leak indicators
  • BlackBasta1 event · 1 leak indicator
  • Everest1 event · 0 leak indicators
  • Medusa1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Australia5
  • Sarcoma2 events · 2 leak indicators
  • MEOW1 event · 0 leak indicators
  • RansomHub1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Canada5
  • SAFEPAY2 events · 2 leak indicators
  • Akira1 event · 1 leak indicator
  • PLAY1 event · 0 leak indicators
  • Sarcoma1 event · 1 leak indicator
Argentina3
  • SAFEPAY2 events · 2 leak indicators
  • Brain Cipher1 event · 0 leak indicators
Brazil3
  • Kill Security2 events · 2 leak indicators
  • Sarcoma1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction17
  • RansomHub6 events · 5 leak indicators
  • Medusa2 events · 2 leak indicators
  • PLAY2 events · 2 leak indicators
  • 3AM1 event · 1 leak indicator
  • Akira1 event · 1 leak indicator
  • BlackBasta1 event · 1 leak indicator
  • Data Leak1 event · 1 leak indicator
  • Defray7771 event · 1 leak indicator
IT Services and IT Consulting9
  • RansomHub2 events · 2 leak indicators
  • Akira1 event · 1 leak indicator
  • BlackBasta1 event · 1 leak indicator
  • Data Leak1 event · 1 leak indicator
  • Everest1 event · 0 leak indicators
  • Hunters International1 event · 1 leak indicator
  • Medusa1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Medical Practice8
  • Everest5 events · 0 leak indicators
  • Blacksuit1 event · 0 leak indicators
  • RansomHub1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Machinery Manufacturing7
  • BlackBasta2 events · 2 leak indicators
  • DragonForce1 event · 1 leak indicator
  • MEOW1 event · 0 leak indicators
  • Monti1 event · 0 leak indicators
  • PLAY1 event · 0 leak indicators
  • SAFEPAY1 event · 1 leak indicator
Retail7
  • Akira1 event · 1 leak indicator
  • Blacksuit1 event · 0 leak indicators
  • Data Leak1 event · 1 leak indicator
  • PLAY1 event · 1 leak indicator
  • RansomHub1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
  • Sarcoma1 event · 1 leak indicator
Motor Vehicle Manufacturing6
  • MEOW3 events · 0 leak indicators
  • Blacksuit1 event · 0 leak indicators
  • Brain Cipher1 event · 0 leak indicators
  • PLAY1 event · 1 leak indicator
Government Administration5
  • Chort1 event · 1 leak indicator
  • Hunters International1 event · 1 leak indicator
  • Money Message1 event · 1 leak indicator
  • RansomHub1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing4
  • Akira3 events · 3 leak indicators
  • MEOW1 event · 0 leak indicators

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.
  • 51-200 employees 55
  • 11-50 employees 41
  • 201-500 employees 26
  • 1,001-5,000 employees 13
  • 2-10 employees 13
  • 501-1,000 employees 9

Notable actor profile updates

Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.
Actor Sector Country Leak proof Seen
Monti Insurance United States Claim only 2024-11-19
Kill Security Insurance Brazil Data leak 2024-11-19
DarkVault Information Technology and Services Saudi Arabia Claim only 2024-11-19
PLAY Packaging and Containers Manufacturing United States Data leak 2024-11-19
PLAY Construction United States Data leak 2024-11-19
PLAY Commercial and Industrial Machinery Maintenance United States Data leak 2024-11-19
PLAY Machinery Manufacturing United States Claim only 2024-11-19
PLAY Utilities United States Data leak 2024-11-19
PLAY Construction United States Data leak 2024-11-19
PLAY Dairy Product Manufacturing Canada Claim only 2024-11-19
PLAY Retail United States Data leak 2024-11-19
PLAY Motor Vehicle Manufacturing United States Data leak 2024-11-19

News and research context

Recent articles from the same time window.

Notes

  • Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
  • Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
  • Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
  • The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

  • The page uses a fixed seven-day window based on the selected date.
  • Only public-facing actor and event records are included.
  • Counts and breakdowns are designed for trend review, not incident confirmation.