Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-01-22 → 2025-01-28 UTC
Choose a report date
Previous week Next week
Observed events
138
Public claims in the selected week
Data leak indicators
69
50.0% of observed events
Active actors
25
Distinct groups with observed activity
Torrent-linked events
4
Events intersecting with torrent intelligence

What changed this week?

CL0P generated the highest visible claim volume this week, representing 37.7% of observed events.
50.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
Software Development was the most represented sector in this window with 9 observed events.
2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
4 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
7 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-01-28 UTC.
Leak sites observed this week
25
Leak sites online near report date
7
Threat actor profiles updated this week
3
Countries represented this week
25
Sectors represented this week
64

Top active actors

By observed claim volume
CL0P
52 events · 0 leak indicators
Medusa
11 events · 11 leak indicators
RansomHub
9 events · 9 leak indicators
Akira
8 events · 4 leak indicators
SAFEPAY
8 events · 8 leak indicators
INC Ransom
6 events · 6 leak indicators
Lynx
5 events · 5 leak indicators
Monti
5 events · 0 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days
  • Monti 5 events
  • Metaencryptor 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States79
  • CL0P36 events · 0 leak indicators
  • SAFEPAY6 events · 6 leak indicators
  • Akira5 events · 2 leak indicators
  • INC Ransom5 events · 5 leak indicators
  • RansomHub4 events · 4 leak indicators
  • Monti3 events · 0 leak indicators
  • BianLian2 events · 1 leak indicator
  • Lynx2 events · 2 leak indicators
Canada11
  • CL0P7 events · 0 leak indicators
  • Akira1 event · 1 leak indicator
  • Data Leak1 event · 1 leak indicator
  • Lynx1 event · 1 leak indicator
  • Medusa1 event · 1 leak indicator
United Kingdom7
  • Medusa5 events · 5 leak indicators
  • RansomHub1 event · 1 leak indicator
  • Space Bears1 event · 1 leak indicator
Australia6
  • CL0P3 events · 0 leak indicators
  • DragonForce1 event · 1 leak indicator
  • Medusa1 event · 1 leak indicator
  • Space Bears1 event · 0 leak indicators
Netherlands4
  • CL0P2 events · 0 leak indicators
  • Fog1 event · 0 leak indicators
  • SAFEPAY1 event · 1 leak indicator
Germany3
  • CL0P1 event · 0 leak indicators
  • LockBit 3.01 event · 1 leak indicator
  • RansomHub1 event · 1 leak indicator
Argentina2
  • Medusa1 event · 1 leak indicator
  • Monti1 event · 0 leak indicators
Denmark2
  • DragonForce1 event · 1 leak indicator
  • RansomHub1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Software Development9
  • CL0P5 events · 0 leak indicators
  • Akira1 event · 1 leak indicator
  • BianLian1 event · 1 leak indicator
  • DragonForce1 event · 1 leak indicator
  • Kill Security1 event · 1 leak indicator
Transportation, Logistics, Supply Chain and Storage8
  • CL0P7 events · 0 leak indicators
  • Qilin1 event · 1 leak indicator
Manufacturing7
  • CL0P4 events · 0 leak indicators
  • RansomHub2 events · 2 leak indicators
  • Lynx1 event · 1 leak indicator
Truck Transportation7
  • CL0P6 events · 0 leak indicators
  • RansomHub1 event · 1 leak indicator
Education Administration Programs6
  • SAFEPAY2 events · 2 leak indicators
  • CL0P1 event · 0 leak indicators
  • Fog1 event · 0 leak indicators
  • Medusa1 event · 1 leak indicator
  • Rhysida1 event · 1 leak indicator
Construction5
  • Medusa3 events · 3 leak indicators
  • Akira1 event · 0 leak indicators
  • DragonForce1 event · 1 leak indicator
IT Services and IT Consulting5
  • CL0P2 events · 0 leak indicators
  • LockBit 3.01 event · 1 leak indicator
  • RansomHouse1 event · 1 leak indicator
  • RansomHub1 event · 1 leak indicator
Motor Vehicle Manufacturing4
  • CL0P1 event · 0 leak indicators
  • DragonForce1 event · 1 leak indicator
  • Fog1 event · 0 leak indicators
  • Monti1 event · 0 leak indicators

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.
  • 51-200 employees 42
  • 11-50 employees 31
  • 201-500 employees 16
  • 1,001-5,000 employees 10
  • 501-1,000 employees 10
  • 2-10 employees 8

Notable actor profile updates

Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.
Actor Sector Country Leak proof Seen
Kairos Packaging and Containers Manufacturing United States Data leak 2025-01-28
Monti Motor Vehicle Manufacturing Argentina Claim only 2025-01-28
Monti Law Firm United States Claim only 2025-01-28
Monti Wholesale Building Materials United States Claim only 2025-01-28
SAFEPAY Education Administration Programs United States Data leak 2025-01-28
INC Ransom Higher Education United States Data leak 2025-01-28
Lynx Government Relations Services Singapore Data leak 2025-01-28
INC Ransom Broadcast Media Production and Distribution Indonesia Data leak 2025-01-28
Medusa Construction Australia Data leak 2025-01-27
Medusa Real Estate United Kingdom Data leak 2025-01-27
Medusa Apparel and Fashion Canada Data leak 2025-01-27
Medusa Textile Manufacturing United Kingdom Data leak 2025-01-27

News and research context

Recent articles from the same time window.
Smiths Group plc | London Stock Exchange 2025-01-28
Smiths Group plc, (the Company, or Smiths) is currently managing a cyber security incident. The incident has involved unauthorised access to the Company's systems. As soon as S…
How a $54 Billion Company Handled a Ransomware Attack 2025-01-23
Related actor: Dunghill Leak
When Johnson Controls International Plc suffered a devastating ransomware attack in 2023, one lesson for Chief Executive Officer George Oliver was that management needs to be as t…

Notes

  • Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
  • Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
  • Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
  • The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

  • The page uses a fixed seven-day window based on the selected date.
  • Only public-facing actor and event records are included.
  • Counts and breakdowns are designed for trend review, not incident confirmation.