15th March 2025 – (Hong Kong) Lingnan University recently experienced a cybersecurity breach in one of its information systems, resulting in the leak of thousands of internal docu…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-03-12 → 2025-03-18 UTC
Choose a report date
Observed events
167
Public claims in the selected week
Data leak indicators
83
49.7% of observed events
Active actors
38
Distinct groups with observed activity
Torrent-linked events
4
Events intersecting with torrent intelligence
What changed this week?
•
BABUK 2.0 generated the highest visible claim volume this week, representing 26.9% of observed events.
•
49.7% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Telecommunications was the most represented sector in this window with 8 observed events.
•
7 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
4 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
Coverage snapshot
As of 2025-03-18 UTC.
Leak sites observed this week
38
Leak sites online near report date
0
Threat actor profiles updated this week
4
Countries represented this week
38
Sectors represented this week
68
Top active actors
By observed claim volumeBABUK 2.0
45 events · 0 leak indicators
Akira
14 events · 4 leak indicators
Qilin
11 events · 6 leak indicators
RansomHub
10 events · 9 leak indicators
NightSpire
9 events · 7 leak indicators
Cactus
7 events · 7 leak indicators
INC Ransom
6 events · 6 leak indicators
Lynx
6 events · 6 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- BABUK 2.0 45 events
- NightSpire 9 events
- Chaos 2 events
- Leaknet Blog 1 event
- Orca 1 event
- SecP0 1 event
- VanHelsing 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States57
- Qilin7 events · 3 leak indicators
- Cactus6 events · 6 leak indicators
- RansomHub5 events · 4 leak indicators
- Akira4 events · 3 leak indicators
- Lynx4 events · 4 leak indicators
- Medusa4 events · 4 leak indicators
- BABUK 2.03 events · 0 leak indicators
- LeakedData3 events · 3 leak indicators
Canada6
- Akira2 events · 0 leak indicators
- Medusa2 events · 2 leak indicators
- Abyss1 event · 1 leak indicator
- Hunters International1 event · 1 leak indicator
Germany6
- INC Ransom2 events · 2 leak indicators
- Qilin2 events · 2 leak indicators
- PLAY1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Brazil5
- BABUK 2.03 events · 0 leak indicators
- Arcus Media2 events · 0 leak indicators
India5
- BABUK 2.02 events · 0 leak indicators
- RansomHouse1 event · 0 leak indicators
- RansomHub1 event · 1 leak indicator
- Trinity1 event · 0 leak indicators
United Kingdom5
- RansomHub2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Stormous1 event · 0 leak indicators
Australia4
- INC Ransom2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- RansomHub1 event · 1 leak indicator
China4
- BABUK 2.02 events · 0 leak indicators
- Akira1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Telecommunications8
- Akira2 events · 0 leak indicators
- BABUK 2.02 events · 0 leak indicators
- Arcus Media1 event · 0 leak indicators
- Hunters International1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Government Administration7
- BABUK 2.05 events · 0 leak indicators
- Arcus Media1 event · 0 leak indicators
- VanHelsing1 event · 1 leak indicator
IT Services and IT Consulting7
- Qilin3 events · 2 leak indicators
- BABUK 2.01 event · 0 leak indicators
- CL0P1 event · 0 leak indicators
- Hellcat1 event · 0 leak indicators
- SecP01 event · 0 leak indicators
Manufacturing6
- Akira1 event · 0 leak indicators
- Cactus1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Leaknet Blog1 event · 1 leak indicator
- Monti1 event · 0 leak indicators
- NightSpire1 event · 1 leak indicator
Transportation, Logistics, Supply Chain and Storage5
- Chaos2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- Arcus Media1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
Construction4
- Akira1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- RansomHub1 event · 1 leak indicator
Hospitality4
- Akira1 event · 0 leak indicators
- BABUK 2.01 event · 0 leak indicators
- Embargo1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
Insurance4
- Abyss1 event · 1 leak indicator
- Akira1 event · 0 leak indicators
- LeakedData1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 33
- 11-50 employees 29
- 1,001-5,000 employees 19
- 201-500 employees 16
- 501-1,000 employees 13
- 10,001+ employees 10
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Arcus Media | Government Administration | Kiribati | Claim only | 2025-03-18 |
| Arcus Media | Truck Transportation | United States | Claim only | 2025-03-18 |
| Arcus Media | Transportation, Logistics, Supply Chain and Storage | Brazil | Claim only | 2025-03-18 |
| LeakedData | Law Practice | United States | Data leak | 2025-03-18 |
| LeakedData | Accounting | United States | Data leak | 2025-03-18 |
| Chaos | Transportation, Logistics, Supply Chain and Storage | United States | Data leak | 2025-03-18 |
| Chaos | Transportation, Logistics, Supply Chain and Storage | United States | Data leak | 2025-03-18 |
| Lynx | Telephone Call Centers | France | Data leak | 2025-03-18 |
| Rhysida | Facilities Services | United States | Data leak | 2025-03-18 |
| LockBit 3.0 | E-Learning Providers | Singapore | Data leak | 2025-03-18 |
| Qilin | IT Services and IT Consulting | Germany | Data leak | 2025-03-18 |
| Akira | Packaging and Containers Manufacturing | United States | Data leak | 2025-03-18 |
News and research context
Recent articles from the same time window.
Impersonation of Babuk Ransomware group
2025-03-18
Related actor: BABUK 2.0
Babuk Locker 2.0, also known as Bjorka or SkyWave, after failing to make any profit from selling public databases on forums, decided to impersonate Babuk Ransomware group. He then…
Farmers’ stores have been experiencing problems with their electronic payment systems and phone lines due to what the company says was a cyber attack.
Stuff understands the IT…
On March 14, 2025, Western Alliance Bank filed a notice of data breach with the Attorney General of Maine after discovering that an unauthorized party was able to access parts of…
Atchison County offices are closed today, Monday, March 17, and will remain closed tomorrow, Tuesday, March 18, due to a cybersecurity attack.
That's explained in a release fro…
Related actor: BlackBasta
The Black Basta ransomware operation created an automated brute-forcing framework dubbed 'BRUTED' to breach edge networking devices like firewalls and VPNs.
The framework has e…
Related actor: Akira
I recently helped a company recover their data from the Akira ransomware without paying the ransom. I’m sharing how I did it, along with the full source code.
The code is here:…
No new information available on cyber-attack impacting Town of Orangeville | Orangeville Citizen
2025-03-14
Related actor: Blacksuit
The Town of Orangeville has no new information to share regarding an ongoing cyber-attack that began on Feb. 27.
At that time, the Town was unable to share very much informatio…
SocGholishs Intrusion Techniques Facilitate Distribution of RansomHub Ransomware | Trend Micro (US)
2025-03-14
Related actor: RansomHub
Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evad…
One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agen…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.