Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-02-05 → 2025-02-11 UTC

Choose a report date

Observed events

169

Public claims in the selected week

Data leak indicators

102

60.4% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

CL0P generated the highest visible claim volume this week, representing 26.0% of observed events.

•

60.4% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 8 observed events.

•

1 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

5 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

10 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-02-11 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

CL0P

44 events · 0 leak indicators

PLAY

16 events · 16 leak indicators

Medusa

15 events · 12 leak indicators

Fog

12 events · 9 leak indicators

RansomHub

12 events · 11 leak indicators

Akira

8 events · 5 leak indicators

BianLian

7 events · 1 leak indicator

Kill Security

7 events · 7 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Kraken 3 events

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States109

CL0P32 events · 0 leak indicators
PLAY14 events · 14 leak indicators
RansomHub11 events · 10 leak indicators
Medusa9 events · 6 leak indicators
BianLian6 events · 1 leak indicator
Akira5 events · 2 leak indicators
Kraken3 events · 0 leak indicators
Lynx3 events · 3 leak indicators

Canada11

CL0P6 events · 0 leak indicators
Medusa2 events · 2 leak indicators
Qilin2 events · 2 leak indicators
Cactus1 event · 1 leak indicator

Australia5

BianLian1 event · 0 leak indicators
DragonForce1 event · 1 leak indicator
Fog1 event · 0 leak indicators
Kill Security1 event · 1 leak indicator
Medusa1 event · 1 leak indicator

Germany5

Sarcoma2 events · 2 leak indicators
Fog1 event · 1 leak indicator
Medusa1 event · 1 leak indicator
PLAY1 event · 1 leak indicator

Japan4

Fog1 event · 1 leak indicator
Hunters International1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
RansomHub1 event · 1 leak indicator

United Kingdom4

Medusa2 events · 2 leak indicators
Defray7771 event · 1 leak indicator
Lynx1 event · 1 leak indicator

France3

CL0P1 event · 0 leak indicators
Eraleignews1 event · 1 leak indicator
Termite1 event · 1 leak indicator

India3

Kill Security2 events · 2 leak indicators
Fog1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction8

PLAY3 events · 3 leak indicators
Hunters International2 events · 2 leak indicators
BianLian1 event · 0 leak indicators
RansomHub1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator

Financial Services7

Kill Security3 events · 3 leak indicators
Akira2 events · 1 leak indicator
LockBit 3.01 event · 0 leak indicators
Lynx1 event · 1 leak indicator

IT Services and IT Consulting7

Fog3 events · 3 leak indicators
PLAY3 events · 3 leak indicators
Kill Security1 event · 1 leak indicator

Appliances, Electrical, and Electronics Manufacturing6

CL0P2 events · 0 leak indicators
Hunters International1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Manufacturing6

CL0P4 events · 0 leak indicators
Cactus1 event · 1 leak indicator
Medusa1 event · 1 leak indicator

Software Development6

CL0P3 events · 0 leak indicators
Fog2 events · 2 leak indicators
FSOCIETY1 event · 0 leak indicators

Truck Transportation6

CL0P2 events · 0 leak indicators
Kill Security1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator
Stormous1 event · 1 leak indicator

Accounting5

BianLian2 events · 0 leak indicators
Defray7771 event · 1 leak indicator
Medusa1 event · 1 leak indicator
Space Bears1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 51
11-50 employees 34
201-500 employees 25
1,001-5,000 employees 14
501-1,000 employees 12
2-10 employees 9

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Termite	Higher Education	France	Data leak	2025-02-11
PLAY	Glass, Ceramics and Concrete Manufacturing	United States	Data leak	2025-02-11
PLAY	Truck Transportation	United States	Data leak	2025-02-11
PLAY	Industrial Machinery Manufacturing	United States	Data leak	2025-02-11
PLAY	IT Services and IT Consulting	United States	Data leak	2025-02-11
PLAY	Wholesale	Germany	Data leak	2025-02-11
PLAY	Construction	United States	Data leak	2025-02-11
PLAY	Real Estate	Sweden	Data leak	2025-02-11
PLAY	IT Services and IT Consulting	United States	Data leak	2025-02-11
PLAY	Retail	United States	Data leak	2025-02-11
PLAY	Hospitality	United States	Data leak	2025-02-11
PLAY	IT Services and IT Consulting	United States	Data leak	2025-02-11

News and research context

Recent articles from the same time window.

US sanctions LockBit ransomware’s bulletproof hosting provider 2025-02-11

Related actor: LockBit 3.0

The United States, Australia, and the United Kingdom have sanctioned Zservers, a Russia-based bulletproof hosting (BPH) services provider, for supplying essential attack infrastr…

Babuk Impersonators Leverage a Brand Name & Previously Stolen Data to Engage in Re-Extortions | Analyst1 2025-02-11

Related actor: BABUK 2.0

The ransomware ecosystem is a living organism of predators constantly evolving and sharpening their teeth for the next attack. Over the years, it has developed a structured system…

Dragos Industrial Ransomware Analysis: Q4 2024 | Dragos 2025-02-11

In the fourth quarter (October to December) of 2024, the ransomware threat landscape presented an increasingly dynamic ecosystem, with multiple ransomware groups refining their te…

Thai-Swiss-US Operation Nets Hackers Behind 1,000+ Cyber Attacks 2025-02-10

Related actor: 8BASE

Thai police arrested four European hackers in Phuket who allegedly stole $16 million through ransomware attacks affecting over 1,000 victims worldwide. The suspects, wanted by Swi…

Phones, email, classes disrupted in University of The Bahamas ransomware attack | The Record from Recorded Future News 2025-02-07

A ransomware gang has shut down the internet and telephone systems used by the University of The Bahamas, forcing changes on administrators, professors and students. The school…

IMI plc - Cyber Security Incident | London Stock Exchange 2025-02-06

IMI plc (the Company, or IMI) is currently responding to a cyber security incident involving unauthorised access to the Company's systems. As soon as IMI became aware of the un…

Ransomware Countermeasures Tracker 2025-02-06

This tracker identifies trends in government actions against ransomware, highlights areas where we see more or less activity, and establishes a baseline of awareness that can supp…

City of McKinney • Notice of Data Event 2025-02-05

Related actor: INC Ransom

The City of McKinney (hereinafter "the City") is providing this substitute notice as a result of a recent security incident to provide individuals with information about the incid…

Notice of Data Incident - Pinnacle Healthcare Consulting 2025-02-05

Pinnacle Holdings, LTD provides healthcare consulting services to its clients and is providing notification of a recent incident. Unfortunately, we recently suffered a data incide…

Crypto Ransomware 2025: 35.82% YoY Decrease in Ransomware Payments 2025-02-05

The ransomware landscape experienced significant changes in 2024, with cryptocurrency continuing to play a central role in extortion. However, the total volume of ransom payments…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.