The Dragos Ransomware Analysis for Q3 2024 evaluated variants used against industrial organizations worldwide. Learn more about our assessments and findings.
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2024-12-11 → 2024-12-17 UTC
Choose a report date
Observed events
129
Public claims in the selected week
Data leak indicators
97
75.2% of observed events
Active actors
34
Distinct groups with observed activity
Torrent-linked events
2
Events intersecting with torrent intelligence
What changed this week?
•
PLAY generated the highest visible claim volume this week, representing 10.1% of observed events.
•
75.2% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Hospitals and Health Care was the most represented sector in this window with 10 observed events.
•
2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
2 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2024-12-17 UTC.
Leak sites observed this week
34
Leak sites online near report date
1
Threat actor profiles updated this week
0
Countries represented this week
31
Sectors represented this week
71
Top active actors
By observed claim volumePLAY
13 events · 12 leak indicators
RansomHub
13 events · 11 leak indicators
Akira
12 events · 1 leak indicator
LeakedData
8 events · 7 leak indicators
Qilin
7 events · 5 leak indicators
Data Leak
6 events · 5 leak indicators
Leaknet Blog
6 events · 5 leak indicators
Lynx
6 events · 6 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Leaknet Blog 6 events
- Underground 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States69
- PLAY8 events · 8 leak indicators
- Akira6 events · 1 leak indicator
- Leaknet Blog6 events · 5 leak indicators
- Nitrogen6 events · 6 leak indicators
- RansomHub6 events · 4 leak indicators
- Data Leak4 events · 3 leak indicators
- DragonForce4 events · 4 leak indicators
- Lynx4 events · 4 leak indicators
Canada8
- PLAY2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- Fog1 event · 0 leak indicators
- Hunters International1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
Brazil4
- Akira2 events · 0 leak indicators
- Fog1 event · 0 leak indicators
- Sarcoma1 event · 1 leak indicator
United Kingdom4
- Cloak1 event · 0 leak indicators
- Data Leak1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
France3
- Bluebox1 event · 1 leak indicator
- Hunters International1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Australia2
- Fog1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
Italy2
- Akira1 event · 0 leak indicators
- Argonauts1 event · 0 leak indicators
Mexico2
- Brain Cipher1 event · 0 leak indicators
- Kill Security1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Hospitals and Health Care10
- Leaknet Blog2 events · 2 leak indicators
- RansomHub2 events · 2 leak indicators
- BianLian1 event · 0 leak indicators
- Everest1 event · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- Stormous1 event · 1 leak indicator
- Termite1 event · 1 leak indicator
Construction9
- RansomHub3 events · 1 leak indicator
- Nitrogen2 events · 2 leak indicators
- PLAY2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Government Administration4
- SAFEPAY2 events · 2 leak indicators
- Leaknet Blog1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Insurance4
- BianLian1 event · 1 leak indicator
- Brain Cipher1 event · 0 leak indicators
- LeakedData1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
Telecommunications4
- Fog1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
- RA Group1 event · 0 leak indicators
- RansomHub1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing3
- Data Leak1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
Financial Services3
- Akira1 event · 0 leak indicators
- CiphBit1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
IT Services and IT Consulting3
- Data Leak1 event · 1 leak indicator
- Fog1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 35
- 11-50 employees 26
- 201-500 employees 16
- 501-1,000 employees 13
- 2-10 employees 12
- 1,001-5,000 employees 8
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Bluebox | International Trade and Development | France | Data leak | 2024-12-17 |
| Termite | Mining | South Africa | Data leak | 2024-12-17 |
| Brain Cipher | Medical Device | China | Claim only | 2024-12-17 |
| RansomHub | Travel Arrangements | United Kingdom | Data leak | 2024-12-17 |
| RansomHub | Telecommunications | Canada | Data leak | 2024-12-17 |
| RansomHub | Hospitals and Health Care | United States | Data leak | 2024-12-17 |
| Qilin | Government Administration | Portugal | Data leak | 2024-12-17 |
| Nitrogen | Construction | United States | Data leak | 2024-12-17 |
| Qilin | Farming | France | Data leak | 2024-12-17 |
| Akira | Equipment Rental Services | Brazil | Claim only | 2024-12-17 |
| Akira | Law Practice | United States | Claim only | 2024-12-17 |
| Akira | Book and Periodical Publishing | Poland | Claim only | 2024-12-17 |
News and research context
Recent articles from the same time window.
Related actor: Akira
Diario RÍO NEGRO identificó ayer un ataque informático que afectó parte de sus sistemas internos. Ante la detección de actividades inusuales, nuestro equipo de Tecnología activó d…
Related actor: CL0P
The Clop ransomware gang has confirmed to BleepingComputer that they are behind the recent Cleo data-theft attacks, utilizing zero-day exploits to breach corporate networks and st…
Related actor: Brain Cipher
A massive cyberattack led the state of Rhode Island Friday to take down its online portal used by residents to obtain social services such as SNAP and Medicaid benefits, as well a…
On November 13, 2024, LKQ Corporation (the “Company” or “we”) detected unauthorized access to information technology (IT) systems of a single business unit in Canada (“Business Un…
In November 2024, ransomware activity reached an all-time high, with 632 reported victims listed to leak sites. That is more than double the historical monthly average of 307 vict…
HAWKINSVILLE, Ga. — A Pulaski County hospital was hit by an attempted ransomware attack, which officials learned about Thursday morning.
Anna Adams, chief government relations…
Cleo has released a security patch to address the critical vulnerability that started getting exploited while still a zero-day to breach internet-facing Cleo Harmony, VLTrader, an…
Center for Vein Restoration is providing notice of a data security incident that may have impacted protected health
information (“PHI”) for individuals who were treated by Center…
Related actor: PLAY
On November 29, 2024, Krispy Kreme, Inc. (the “Company”) was notified regarding unauthorized activity on a portion of its information technology systems. The Company immediately b…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.