Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-03-26 → 2025-04-01 UTC

Choose a report date

Observed events

179

Public claims in the selected week

Data leak indicators

106

59.2% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

SAFEPAY generated the highest visible claim volume this week, representing 16.8% of observed events.

•

59.2% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 13 observed events.

•

1 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

2 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-04-01 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

SAFEPAY

30 events · 30 leak indicators

BABUK 2.0

24 events · 0 leak indicators

Akira

18 events · 2 leak indicators

Kill Security

18 events · 18 leak indicators

Qilin

16 events · 7 leak indicators

RansomHub

13 events · 3 leak indicators

Sarcoma

8 events · 8 leak indicators

DragonForce

6 events · 6 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Dunghill Leak 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States75

Akira11 events · 2 leak indicators
Qilin9 events · 3 leak indicators
SAFEPAY9 events · 9 leak indicators
Kill Security8 events · 8 leak indicators
Lynx6 events · 6 leak indicators
RansomHub6 events · 1 leak indicator
DragonForce5 events · 5 leak indicators
BianLian4 events · 0 leak indicators

Germany17

SAFEPAY11 events · 11 leak indicators
RansomHub2 events · 2 leak indicators
Akira1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Kill Security1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Canada13

SAFEPAY4 events · 4 leak indicators
Medusa2 events · 2 leak indicators
Sarcoma2 events · 2 leak indicators
Akira1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Kill Security1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator

United Kingdom8

SAFEPAY4 events · 4 leak indicators
Dunghill Leak1 event · 1 leak indicator
Kill Security1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Sarcoma1 event · 1 leak indicator

Australia5

Kill Security2 events · 2 leak indicators
Akira1 event · 0 leak indicators
SAFEPAY1 event · 1 leak indicator
VanHelsing1 event · 1 leak indicator

France5

Qilin2 events · 1 leak indicator
DragonForce1 event · 1 leak indicator
Nitrogen1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Brazil4

Akira1 event · 0 leak indicators
Kill Security1 event · 1 leak indicator
RALord1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Taiwan4

CrazyHunter3 events · 0 leak indicators
RALord1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction13

SAFEPAY6 events · 6 leak indicators
Lynx3 events · 3 leak indicators
RansomHub2 events · 1 leak indicator
Medusa1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Hospitals and Health Care8

INC Ransom2 events · 2 leak indicators
Qilin2 events · 0 leak indicators
BianLian1 event · 0 leak indicators
DragonForce1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

IT Services and IT Consulting7

Kill Security3 events · 3 leak indicators
Akira1 event · 0 leak indicators
Chaos1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
RansomHub1 event · 0 leak indicators

Manufacturing5

Kill Security2 events · 2 leak indicators
Akira1 event · 0 leak indicators
RansomHub1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Real Estate5

Akira3 events · 0 leak indicators
Lynx1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Software Development5

Qilin2 events · 1 leak indicator
Kill Security1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator
VanHelsing1 event · 0 leak indicators

Industrial Machinery Manufacturing4

Akira1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Medusa1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Law Practice4

Kairos1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator
VanHelsing1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

11-50 employees 43
51-200 employees 43
201-500 employees 20
2-10 employees 14
501-1,000 employees 9
1,001-5,000 employees 8

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Anubis	Architecture and Planning	United States	Claim only	2025-04-01
Medusa	Industrial Machinery Manufacturing	Canada	Data leak	2025-04-01
Medusa	Appliances, Electrical, and Electronics Manufacturing	United States	Data leak	2025-04-01
INC Ransom	Hospitals and Health Care	United States	Data leak	2025-04-01
Akira	Plastics Manufacturing	United States	Data leak	2025-04-01
Akira	Aviation and Aerospace Component Manufacturing	United States	Claim only	2025-04-01
Morpheus	Pharmaceutical Manufacturing	United States	Claim only	2025-04-01
DragonForce	Motor Vehicle Manufacturing	United States	Data leak	2025-04-01
Qilin	Medical Practice	United States	Data leak	2025-04-01
Kill Security	Software Development	Ireland	Data leak	2025-04-01
Kill Security	Information Technology and Services	United States	Data leak	2025-04-01
Kill Security	Media Production	Germany	Data leak	2025-04-01

News and research context

Recent articles from the same time window.

INDIA RANSOMWARE REPORT- 2024 by CERT-In 2025-04-01

This report covers the ransomware latest tactics and techniques along with trends observed in the year-2024, specific to Indian cyber space. In the year 2024, the ransomware la…

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream – Sophos News 2025-04-01

Related actor: Qilin

Late in January 2025, a Managed Service Provider (MSP) administrator received a well-crafted phishing email containing what appeared to be an authentication alert for their Screen…

Local doctor hit by ransomware attack fights to save his practice 2025-04-01

Related actor: Helldown

BLUE ASH, Ohio (WKRC) - Dr. Gururau Sudarshan, known as Doctor G to his patients, was headed into work one morning last August when workers at his Cincinnati Pain Physicians clini…

Taiwan’s Systex reports no major impact following ransomware threat | Taiwan News | Mar. 31, 2025 2025-03-31

TAIPEI (Taiwan News) — Systex Corporation said Monday it is cooperating with the Ministry of Justice Investigation Bureau after receiving an anonymous ransom note. According to…

Data breach communications - 13cabs 2025-03-29

On 14 March 2025, 13cabs became aware that some of our 13cabs and Silver Service app user accounts were potentially compromised through a sophisticated unauthorised type of suspic…

Ransomware Cases Double for Fourth Straight Year in Iceland 2025-03-28

The number of cases handled annually by CERT-IS, Iceland’s national computer emergency response team, continues to rise significantly. The unit’s director says its main task is tr…

Shifting the sands of RansomHub’s EDRKillShifter 2025-03-27

Related actor: RansomHub

ESET researchers take a look back at the significant changes in the ransomware ecosystem in 2024 and focus on the newly emerged and currently dominating ransomware-as-a-service (R…

UK fines software provider £3.07 million for 2022 ransomware breach 2025-03-27

Related actor: LockBit 3.0

The UK Information Commissioner's Office (ICO) has issued a £3.07 million fine on Advanced Computer Software Group Ltd for a 2022 ransomware attack that exposed the sensitive pers…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.