A UK hospital is declaring a "major incident," cancelling all outpatient appointments due to "cybersecurity reasons."
The Wirral University Teaching Hospital NHS Trust, located…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2024-11-20 → 2024-11-26 UTC
Choose a report date
Observed events
137
Public claims in the selected week
Data leak indicators
104
75.9% of observed events
Active actors
28
Distinct groups with observed activity
Torrent-linked events
4
Events intersecting with torrent intelligence
What changed this week?
•
RansomHub generated the highest visible claim volume this week, representing 13.9% of observed events.
•
75.9% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 8 observed events.
•
1 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
4 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2024-11-26 UTC.
Leak sites observed this week
28
Leak sites online near report date
1
Threat actor profiles updated this week
0
Countries represented this week
36
Sectors represented this week
62
Top active actors
By observed claim volumeRansomHub
19 events · 17 leak indicators
INC Ransom
17 events · 17 leak indicators
Kill Security
16 events · 16 leak indicators
Qilin
12 events · 9 leak indicators
Lynx
10 events · 10 leak indicators
Arcus Media
7 events · 0 leak indicators
Fog
7 events · 0 leak indicators
Akira
6 events · 4 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- MedusaLocker 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States69
- RansomHub14 events · 13 leak indicators
- Qilin7 events · 6 leak indicators
- Akira6 events · 4 leak indicators
- Kill Security6 events · 6 leak indicators
- Fog5 events · 0 leak indicators
- Lynx5 events · 5 leak indicators
- BianLian4 events · 2 leak indicators
- Hunters International3 events · 3 leak indicators
Canada6
- Qilin2 events · 0 leak indicators
- BianLian1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
India6
- Kill Security2 events · 2 leak indicators
- RansomHub2 events · 2 leak indicators
- Eraleignews1 event · 1 leak indicator
- Fog1 event · 0 leak indicators
United Arab Emirates5
- Kill Security2 events · 2 leak indicators
- Arcus Media1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
- RA Group1 event · 0 leak indicators
United Kingdom5
- INC Ransom3 events · 3 leak indicators
- Hunters International1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Australia4
- INC Ransom3 events · 3 leak indicators
- Kill Security1 event · 1 leak indicator
Germany4
- INC Ransom4 events · 4 leak indicators
Brazil3
- Arcus Media1 event · 0 leak indicators
- Eraleignews1 event · 1 leak indicator
- Hunters International1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction8
- INC Ransom2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- RansomHub1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Government Administration7
- Blacksuit1 event · 0 leak indicators
- Chort1 event · 1 leak indicator
- Eraleignews1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
- Termite1 event · 1 leak indicator
IT Services and IT Consulting6
- Akira1 event · 1 leak indicator
- Arcus Media1 event · 0 leak indicators
- Eraleignews1 event · 1 leak indicator
- Fog1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Law Practice5
- Hunters International2 events · 2 leak indicators
- BianLian1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Real Estate5
- Kill Security2 events · 2 leak indicators
- Fog1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Retail5
- Lynx2 events · 2 leak indicators
- RansomHub2 events · 2 leak indicators
- SAFEPAY1 event · 1 leak indicator
Financial Services4
- Kill Security2 events · 2 leak indicators
- Lynx1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
Hospitals and Health Care4
- Kill Security2 events · 2 leak indicators
- BianLian1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 47
- 51-200 employees 30
- 201-500 employees 15
- 2-10 employees 12
- 1,001-5,000 employees 7
- 501-1,000 employees 6
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| MedusaLocker | Telecommunications | Estonia | Claim only | 2024-11-26 |
| Lynx | Mechanical Or Industrial Engineering | United States | Data leak | 2024-11-26 |
| Fog | Mining | United States | Claim only | 2024-11-26 |
| Fog | Plastics Manufacturing | United States | Claim only | 2024-11-26 |
| Lynx | Retail | United Arab Emirates | Data leak | 2024-11-26 |
| Fog | Real Estate | India | Claim only | 2024-11-26 |
| Fog | Staffing and Recruiting | Ireland | Claim only | 2024-11-26 |
| Fog | Telecommunications | United States | Claim only | 2024-11-26 |
| Lynx | Machinery Manufacturing | Italy | Data leak | 2024-11-26 |
| RansomHub | Travel Arrangements | United States | Data leak | 2024-11-26 |
| RansomHub | Hospitals and Health Care | Ecuador | Data leak | 2024-11-26 |
| Kill Security | Government Administration | Bangladesh | Data leak | 2024-11-26 |
News and research context
Recent articles from the same time window.
Is ransomware really organised crime?
2024-11-25
Is ransomware a form of organised crime? At first glance, the question seems almost stupid, the answer self-evident. Ransomware groups like REvil, Clop, and LockBit operate with a…
Customer Update - Blue Yonder
2024-11-23
Related actor: Termite
On November 21, 2024, Blue Yonder experienced disruptions to its managed services hosted environment, which was determined to be the result of a ransomware incident.
Since lear…
Related actor: Rhysida
Une cyberattaque prive l’arrondissement de Montréal-Nord de tous ses services informatiques depuis lundi, forçant la fermeture de certains services pour potentiellement plusieurs…
Ransomware attacks against US businesses have surged in recent years, often perpetrated by criminal gangs that Smith said were “tolerated . . . and in some cases even facilitated”…
In Q3 2024, the ransomware threat level remained elevated. While the increase in attacks quarter-over-quarter was marginal, a continuously high volume of attacks over an extended…
International Game Technology Plc, operator of popular slot machines in casinos, said an unauthorized third party gained access to certain of its systems.
The company has exper…
ODESSA, Texas (KOSA) - During the night of November 20, a cyber incident attacked the City of Odessa network.
Because of the attack, the City of Odessa’s network has been down…
Related actor: BianLian
Today, CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released updates to #StopRansomware:…
Norfolk Sheriff's Office says they were the 'victim of a cybersecurity event' | 13newsnow.com
2024-11-21
There is no security threat, but Sheriff Joe Baron said the cyber attack impacts their records and other operational systems.
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.