We are currently investigating a cyber incident affecting our networks. As soon as we became aware of this incident, our IT security team took precautionary measures. We then part…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-03-05 → 2025-03-11 UTC
Choose a report date
Observed events
170
Public claims in the selected week
Data leak indicators
112
65.9% of observed events
Active actors
32
Distinct groups with observed activity
Torrent-linked events
5
Events intersecting with torrent intelligence
What changed this week?
•
Fog generated the highest visible claim volume this week, representing 14.1% of observed events.
•
65.9% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Software Development was the most represented sector in this window with 10 observed events.
•
4 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
5 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
Coverage snapshot
As of 2025-03-11 UTC.
Leak sites observed this week
32
Leak sites online near report date
0
Threat actor profiles updated this week
5
Countries represented this week
35
Sectors represented this week
71
Top active actors
By observed claim volumeFog
24 events · 0 leak indicators
Akira
23 events · 5 leak indicators
RansomHub
19 events · 17 leak indicators
PLAY
14 events · 14 leak indicators
Lynx
13 events · 13 leak indicators
INC Ransom
10 events · 10 leak indicators
Qilin
9 events · 7 leak indicators
SAFEPAY
8 events · 8 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- CrazyHunter 5 events
- Skira 5 events
- Weyhro 5 events
- Nitrogen 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States82
- Akira11 events · 2 leak indicators
- PLAY10 events · 10 leak indicators
- RansomHub10 events · 8 leak indicators
- Fog8 events · 0 leak indicators
- INC Ransom7 events · 7 leak indicators
- 3AM5 events · 5 leak indicators
- Lynx5 events · 5 leak indicators
- Qilin4 events · 3 leak indicators
Germany11
- Fog4 events · 0 leak indicators
- INC Ransom3 events · 3 leak indicators
- 3AM1 event · 1 leak indicator
- Akira1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Canada8
- PLAY3 events · 3 leak indicators
- RansomHub2 events · 2 leak indicators
- Fog1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- Weyhro1 event · 1 leak indicator
Taiwan7
- CrazyHunter5 events · 5 leak indicators
- Akira1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
United Kingdom7
- DragonForce2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- Embargo1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Italy5
- Fog2 events · 0 leak indicators
- Akira1 event · 0 leak indicators
- Nitrogen1 event · 1 leak indicator
- Weyhro1 event · 1 leak indicator
Spain5
- Akira3 events · 0 leak indicators
- Arcus Media1 event · 0 leak indicators
- Fog1 event · 0 leak indicators
India4
- Skira2 events · 1 leak indicator
- Defray7771 event · 1 leak indicator
- FSOCIETY1 event · 0 leak indicators
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Software Development10
- Fog4 events · 0 leak indicators
- Akira1 event · 1 leak indicator
- Defray7771 event · 1 leak indicator
- Embargo1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
- Nitrogen1 event · 1 leak indicator
- Weyhro1 event · 1 leak indicator
Construction8
- Akira2 events · 0 leak indicators
- 3AM1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Hospitals and Health Care8
- CrazyHunter3 events · 3 leak indicators
- INC Ransom2 events · 2 leak indicators
- Fog1 event · 0 leak indicators
- RansomHouse1 event · 0 leak indicators
- RansomHub1 event · 1 leak indicator
Retail6
- Akira2 events · 1 leak indicator
- Medusa1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- RansomHub1 event · 0 leak indicators
- Rhysida1 event · 1 leak indicator
Industrial Machinery Manufacturing5
- 3AM1 event · 1 leak indicator
- Akira1 event · 0 leak indicators
- Fog1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
- Weyhro1 event · 1 leak indicator
Legal Services5
- INC Ransom2 events · 2 leak indicators
- 3AM1 event · 1 leak indicator
- Fog1 event · 0 leak indicators
- Skira1 event · 1 leak indicator
Telecommunications5
- Fog2 events · 0 leak indicators
- BianLian1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing4
- 3AM1 event · 1 leak indicator
- Akira1 event · 0 leak indicators
- Fog1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 47
- 11-50 employees 41
- 1,001-5,000 employees 19
- 201-500 employees 19
- 501-1,000 employees 15
- 2-10 employees 13
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| SAFEPAY | Individual and Family Services | Colombia | Data leak | 2025-03-11 |
| SAFEPAY | Oil and Gas | Argentina | Data leak | 2025-03-11 |
| SAFEPAY | Wellness and Fitness Services | Peru | Data leak | 2025-03-11 |
| SAFEPAY | Transportation, Logistics, Supply Chain and Storage | Puerto Rico | Data leak | 2025-03-11 |
| SAFEPAY | Hospitality | Mexico | Data leak | 2025-03-11 |
| SAFEPAY | Hospitality | United States | Data leak | 2025-03-11 |
| SAFEPAY | Education Administration Programs | United States | Data leak | 2025-03-11 |
| Kill Security | Software Development | United States | Data leak | 2025-03-11 |
| Kill Security | Insurance | United States | Data leak | 2025-03-11 |
| Lynx | Utilities | United States | Data leak | 2025-03-11 |
| Nitrogen | Software Development | Italy | Data leak | 2025-03-11 |
| Lynx | Hospitality | United States | Data leak | 2025-03-11 |
News and research context
Recent articles from the same time window.
The government of Mission, Texas, filed a state of emergency declaration this week after a cyberattack exposed all of the data held on city systems.
The city government notifie…
TOKYO, JAPAN, March 5, 2025 — NTT Communications Corporation (NTT Com), announced today that on February 5th, it determined that unauthorized access to its systems had occurred. O…
Related actor: Qilin
Since late February 2025, Microsoft has observed Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of organizations. Qilin is a ransomwar…
National Presto Industries, Inc. - SEC.gov
2025-03-07
On March 1, 2025, the Registrant experienced a system outage caused by a cybersecurity incident. Upon discovery, the Registrant activated its incident response team, comprised of…
Related actor: Medusa
Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in acti…
The fourth quarter of 2024 marked a pivotal period in the ransomware landscape. We saw operators continuing to move beyond their past reliance on opportunistic exploits and instea…
Franklin County Commissioners investigating ransomware attack on computer systems - Daily Bulldog
2025-03-06
FARMINGTON — The Franklin County Commissioners received an inquiry regarding a brief network disruption that impacted certain Franklin County computer systems on February 6, 2025.…
Related actor: Akira
While the S-RM team encountered more threat actors than ever before last year, one group was responsible for more incidents than any other. Akira, a well-established ransomware gr…
Related actor: Nitrogen
Durch einen Cyberangriff sind interne Dienste derzeit nicht nutzbar. Das Versorgungsnetz ist nicht betroffen.
Durch einen Cyberangriff kam es zu einer Störung unseres internen…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.