Winterthur, 1. Februar 2025 – Kurz nach 22:00 Uhr wurden RADIO TOP und TELE TOP erneut Opfer eines Cyberangriffs durch einen Verschlüsselungstrojaner. Während die Systeme oberfläc…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-01-29 → 2025-02-04 UTC
Choose a report date
Observed events
245
Public claims in the selected week
Data leak indicators
142
58.0% of observed events
Active actors
32
Distinct groups with observed activity
Torrent-linked events
0
Events intersecting with torrent intelligence
What changed this week?
•
Akira generated the highest visible claim volume this week, representing 25.3% of observed events.
•
58.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 20 observed events.
•
3 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-02-04 UTC.
Leak sites observed this week
32
Leak sites online near report date
1
Threat actor profiles updated this week
0
Countries represented this week
37
Sectors represented this week
90
Top active actors
By observed claim volumeAkira
62 events · 0 leak indicators
PLAY
19 events · 18 leak indicators
Qilin
18 events · 14 leak indicators
Fog
17 events · 15 leak indicators
RansomHub
13 events · 13 leak indicators
Lynx
12 events · 12 leak indicators
Cactus
10 events · 10 leak indicators
DragonForce
10 events · 10 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Arcus Media 5 events
- Defray777 1 event
- Stormous 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States142
- Akira37 events · 0 leak indicators
- PLAY17 events · 16 leak indicators
- Qilin13 events · 10 leak indicators
- Lynx12 events · 12 leak indicators
- Cactus10 events · 10 leak indicators
- DragonForce7 events · 7 leak indicators
- RansomHub7 events · 7 leak indicators
- BianLian5 events · 2 leak indicators
Canada14
- Medusa5 events · 5 leak indicators
- Akira2 events · 0 leak indicators
- Qilin2 events · 1 leak indicator
- Cloak1 event · 0 leak indicators
- Eraleignews1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
Germany8
- Cloak2 events · 0 leak indicators
- Fog2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- Monti1 event · 0 leak indicators
- RansomHub1 event · 1 leak indicator
- Termite1 event · 0 leak indicators
United Kingdom8
- Akira3 events · 0 leak indicators
- 8BASE1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Brazil6
- Arcus Media3 events · 0 leak indicators
- Akira2 events · 0 leak indicators
- 8BASE1 event · 0 leak indicators
France5
- Akira2 events · 0 leak indicators
- Fog2 events · 2 leak indicators
- INC Ransom1 event · 1 leak indicator
Italy4
- Arcus Media1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- LockBit 3.01 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Sweden4
- Akira1 event · 0 leak indicators
- Fog1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction20
- Akira9 events · 0 leak indicators
- DragonForce3 events · 3 leak indicators
- Abyss1 event · 1 leak indicator
- Arcus Media1 event · 0 leak indicators
- Cicada33011 event · 1 leak indicator
- CL0P1 event · 0 leak indicators
- LockBit 3.01 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
IT Services and IT Consulting10
- Akira2 events · 0 leak indicators
- Everest2 events · 0 leak indicators
- Fog2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- Eraleignews1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- RansomHub1 event · 1 leak indicator
Software Development10
- CL0P3 events · 0 leak indicators
- Fog3 events · 3 leak indicators
- Arcus Media1 event · 0 leak indicators
- BianLian1 event · 0 leak indicators
- Eraleignews1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Real Estate9
- PLAY3 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- BianLian1 event · 0 leak indicators
- Cicada33011 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Law Practice8
- Qilin2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- Fog1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
Machinery Manufacturing7
- Akira2 events · 0 leak indicators
- Arcus Media1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Monti1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
Manufacturing7
- Akira2 events · 0 leak indicators
- 8BASE1 event · 0 leak indicators
- BianLian1 event · 1 leak indicator
- Cactus1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Motor Vehicle Manufacturing7
- Akira3 events · 0 leak indicators
- Cactus1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 66
- 11-50 employees 60
- 201-500 employees 31
- 2-10 employees 18
- 1,001-5,000 employees 15
- 501-1,000 employees 11
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Kairos | Legal Services | United Kingdom | Data leak | 2025-02-04 |
| Kairos | Motor Vehicle Manufacturing | United States | Data leak | 2025-02-04 |
| RansomHub | Retail Apparel and Fashion | Germany | Data leak | 2025-02-04 |
| Fog | Research Services | France | Data leak | 2025-02-04 |
| Fog | Software Development | Israel | Data leak | 2025-02-04 |
| RansomHub | IT Services and IT Consulting | Sweden | Data leak | 2025-02-04 |
| BianLian | Real Estate | United States | Claim only | 2025-02-04 |
| BianLian | Manufacturing | United States | Data leak | 2025-02-04 |
| Qilin | Manufacturing | United States | Data leak | 2025-02-04 |
| Eraleignews | IT Services and IT Consulting | India | Data leak | 2025-02-04 |
| RansomHub | Truck Transportation | Canada | Data leak | 2025-02-04 |
| RansomHub | Utilities | United States | Data leak | 2025-02-04 |
News and research context
Recent articles from the same time window.
Related actor: Hunters International
Tata Technologies has confirmed a ransomware attack that impacted some of its IT assets, leading to the temporary suspension of certain services. The company disclosed the inciden…
New York Blood Center Enterprises Cybersecurity Incident Update - New York Blood Center Enterprises
2025-01-30
On Sunday, January 26, New York Blood Center Enterprises and its operating divisions identified suspicious activity affecting our IT systems. We immediately engaged third-party cy…
Related actor: Lynx
In this blog, we observed how the Lynx Ransomware-as-a-Service (RaaS) group operates, detailing the workflow of their affiliates within the panel, their cross-platform ransomware…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.