Der Softwarehersteller für Spitäler Cistec wurde Opfer eines Ransomware-Angriffs. Der KIS-Anbieter hat seine Systeme umgehend heruntergefahren. Patientendaten von Kundensystemen s…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-02-26 → 2025-03-04 UTC
Choose a report date
Observed events
170
Public claims in the selected week
Data leak indicators
80
47.1% of observed events
Active actors
29
Distinct groups with observed activity
Torrent-linked events
1
Events intersecting with torrent intelligence
What changed this week?
•
CL0P generated the highest visible claim volume this week, representing 31.2% of observed events.
•
47.1% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 11 observed events.
•
2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
1 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-03-04 UTC.
Leak sites observed this week
29
Leak sites online near report date
1
Threat actor profiles updated this week
5
Countries represented this week
29
Sectors represented this week
77
Top active actors
By observed claim volumeCL0P
53 events · 5 leak indicators
PLAY
18 events · 17 leak indicators
RansomHub
16 events · 14 leak indicators
Qilin
11 events · 6 leak indicators
Akira
10 events · 1 leak indicator
Arcus Media
9 events · 0 leak indicators
Fog
6 events · 0 leak indicators
BianLian
4 events · 0 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Run Some Wares 4 events
- Hellcat 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States115
- CL0P43 events · 5 leak indicators
- PLAY16 events · 15 leak indicators
- RansomHub14 events · 12 leak indicators
- Qilin8 events · 5 leak indicators
- Akira4 events · 1 leak indicator
- BianLian4 events · 0 leak indicators
- Cactus4 events · 4 leak indicators
- Medusa4 events · 4 leak indicators
Canada8
- CL0P5 events · 0 leak indicators
- Abyss1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
Brazil7
- Arcus Media3 events · 0 leak indicators
- Fog2 events · 0 leak indicators
- Apos Security1 event · 1 leak indicator
- LockBit 3.01 event · 1 leak indicator
Germany4
- Akira3 events · 0 leak indicators
- Hellcat1 event · 1 leak indicator
United Kingdom3
- CL0P2 events · 0 leak indicators
- Arcus Media1 event · 0 leak indicators
Austria2
- Akira1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
France2
- Arcus Media2 events · 0 leak indicators
Italy2
- Akira1 event · 0 leak indicators
- LockBit 3.01 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction11
- Akira2 events · 0 leak indicators
- PLAY2 events · 2 leak indicators
- RansomHub2 events · 1 leak indicator
- Cactus1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- LockBit 3.01 event · 1 leak indicator
- Monti1 event · 0 leak indicators
IT Services and IT Consulting11
- CL0P4 events · 0 leak indicators
- Arcus Media3 events · 0 leak indicators
- Apos Security1 event · 1 leak indicator
- Fog1 event · 0 leak indicators
- Hunters International1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Retail Apparel and Fashion7
- CL0P5 events · 2 leak indicators
- Arcus Media1 event · 0 leak indicators
- Fog1 event · 0 leak indicators
Food and Beverage Services6
- CL0P4 events · 0 leak indicators
- Cactus1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Hospitals and Health Care6
- Qilin2 events · 2 leak indicators
- RansomHub2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- CL0P1 event · 0 leak indicators
Manufacturing6
- CL0P4 events · 0 leak indicators
- PLAY1 event · 1 leak indicator
- Run Some Wares1 event · 1 leak indicator
Motor Vehicle Manufacturing5
- Hunters International2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- CL0P1 event · 0 leak indicators
- Medusa1 event · 1 leak indicator
Real Estate5
- PLAY2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- BianLian1 event · 0 leak indicators
- RansomHub1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 57
- 11-50 employees 33
- 201-500 employees 29
- 1,001-5,000 employees 11
- 501-1,000 employees 8
- 2-10 employees 7
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Monti | Construction | United States | Claim only | 2025-03-04 |
| Monti | Public Safety | United States | Claim only | 2025-03-04 |
| Medusa | Motor Vehicle Manufacturing | United States | Data leak | 2025-03-04 |
| RansomHub | Architecture and Planning | United States | Data leak | 2025-03-04 |
| Qilin | Business Consulting and Services | Spain | Claim only | 2025-03-04 |
| Akira | Construction | Italy | Claim only | 2025-03-04 |
| BianLian | Accounting | United States | Claim only | 2025-03-04 |
| BianLian | Real Estate | United States | Claim only | 2025-03-04 |
| Fog | Retail Apparel and Fashion | Brazil | Claim only | 2025-03-04 |
| Fog | Chemical Manufacturing | Brazil | Claim only | 2025-03-04 |
| CL0P | Wholesale | United States | Data leak | 2025-03-04 |
| CL0P | Transportation, Logistics, Supply Chain and Storage | United States | Data leak | 2025-03-04 |
News and research context
Recent articles from the same time window.
MISHAWAKA, Ind. (WSBT) — The Penn-Harris-Madison school district has launched an investigation after a potential ransomware attack.
Parents received an email Monday morning not…
Adval Tech Group Cyber-Attack on IT Systems
2025-03-03
Related actor: Lynx
Adval Tech was the target of a cyber-attack on the night to March 2, 2025. The IT systems of the Adval Tech Group were immediately shut down globally, and necessary measures were…
WARSAW, March 2 (Reuters) - Polish cybersecurity services have detected unauthorized access to the Polish Space Agency's (POLSA) IT infrastructure, Minister for Digitalisation Krz…
SINGAPORE: Some HomeTeamNS servers have been hit by a ransomware attack, the organisation said on Monday (Mar 3), adding that the incident was discovered on Feb 25.
The affecte…
Paragon Partition Manager's BioNTdrv.sys driver, versions prior to 2.0.0, contains five vulnerabilities. These include arbitrary kernel memory mapping and write vulnerabilities, a…
Related actor: BlackBasta
September 2020: An affiliate of the ransomware company REvil reveals the details of a cyber attack he carried out a few months earlier against the French company Elior. At the tim…
Thailand arrests Singaporean man suspected of global cyber attacks - VnExpress International
2025-03-01
Thailand's police have arrested a Singaporean man suspected of carrying out cyber attacks on more than 70 organizations in a dozen countries around the world.
The 39-year-old was…
Related actor: slug
Telekom Slovenije has detected a cyber incident in which certain internal business data were exposed. All necessary measures to contain and stop the incident, and to preventing it…
Notification Page | City of Fort St. John
2025-02-28
Related actor: INC Ransom
On the morning of Tuesday, February 25, 2025, the City of Fort St. John experienced a cyber incident. As soon as the incident was discovered, we immediately severed our connection…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.