Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-04-09 → 2025-04-15 UTC

Choose a report date

Observed events

140

Public claims in the selected week

Data leak indicators

111

79.3% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Qilin generated the highest visible claim volume this week, representing 15.0% of observed events.

•

79.3% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 11 observed events.

•

5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

Coverage snapshot

As of 2025-04-15 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Qilin

21 events · 11 leak indicators

PLAY

19 events · 19 leak indicators

Akira

15 events · 0 leak indicators

LeakedData

13 events · 13 leak indicators

INC Ransom

10 events · 10 leak indicators

DragonForce

9 events · 9 leak indicators

Lynx

8 events · 8 leak indicators

Crypto24

7 events · 7 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Crypto24 7 events
IMN Crew 5 events
Brain Cipher 1 event
Run Some Wares 1 event
WikiLeaksV2 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States71

PLAY16 events · 16 leak indicators
Akira8 events · 0 leak indicators
LeakedData8 events · 8 leak indicators
Qilin8 events · 5 leak indicators
INC Ransom7 events · 7 leak indicators
DragonForce6 events · 6 leak indicators
Lynx5 events · 5 leak indicators
IMN Crew3 events · 3 leak indicators

Canada7

PLAY3 events · 3 leak indicators
Akira1 event · 0 leak indicators
Crypto241 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Rhysida1 event · 1 leak indicator

Australia5

Akira1 event · 0 leak indicators
Lynx1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator
Space Bears1 event · 1 leak indicator

United Kingdom4

INC Ransom2 events · 2 leak indicators
DragonForce1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Germany3

Akira1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Lynx1 event · 1 leak indicator

Indonesia3

Crypto241 event · 1 leak indicator
IMN Crew1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator

Spain3

Qilin2 events · 1 leak indicator
Akira1 event · 0 leak indicators

Czech Republic2

Cicada33011 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction11

Akira3 events · 0 leak indicators
Lynx2 events · 2 leak indicators
PLAY2 events · 2 leak indicators
Qilin2 events · 0 leak indicators
Brain Cipher1 event · 0 leak indicators
DragonForce1 event · 1 leak indicator

Law Practice10

LeakedData7 events · 7 leak indicators
Crypto241 event · 1 leak indicator
DragonForce1 event · 1 leak indicator
PLAY1 event · 1 leak indicator

Financial Services9

IMN Crew2 events · 2 leak indicators
LockBit 3.02 events · 2 leak indicators
Akira1 event · 0 leak indicators
CL0P1 event · 1 leak indicator
Crypto241 event · 1 leak indicator
LeakedData1 event · 1 leak indicator
Space Bears1 event · 1 leak indicator

Machinery Manufacturing7

PLAY2 events · 2 leak indicators
Qilin2 events · 2 leak indicators
Akira1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Lynx1 event · 1 leak indicator

IT Services and IT Consulting5

Crypto242 events · 2 leak indicators
PLAY1 event · 1 leak indicator
RALord1 event · 1 leak indicator
Termite1 event · 1 leak indicator

Manufacturing5

Lynx2 events · 2 leak indicators
Akira1 event · 0 leak indicators
IMN Crew1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Accounting4

Akira1 event · 0 leak indicators
Crypto241 event · 1 leak indicator
DragonForce1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator

Government Administration4

Qilin2 events · 2 leak indicators
INC Ransom1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

11-50 employees 39
51-200 employees 36
201-500 employees 18
2-10 employees 12
1,001-5,000 employees 10
501-1,000 employees 6

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Qilin	Truck Transportation	United States	Data leak	2025-04-15
Lynx	Construction	United States	Data leak	2025-04-15
Lynx	Manufacturing	United States	Data leak	2025-04-15
LeakedData	Law Practice	United States	Data leak	2025-04-15
Qilin	Motor Vehicle Manufacturing	United States	Data leak	2025-04-15
Lynx	Construction	United States	Data leak	2025-04-15
Lynx	Wholesale	United States	Data leak	2025-04-15
IMN Crew	Manufacturing	United States	Data leak	2025-04-15
IMN Crew	Hospitals and Health Care	United States	Data leak	2025-04-15
IMN Crew	Insurance	Indonesia	Data leak	2025-04-15
IMN Crew	Financial Services	United States	Data leak	2025-04-15
IMN Crew	Financial Services	Croatia	Data leak	2025-04-15

News and research context

Recent articles from the same time window.

Bengaluru Firm Hit by Ransomware; Hackers Demand ₹60 Lakh Ransom - The420.in 2025-04-15

In a wave of cyberattacks targeting Indian businesses, a Bengaluru-based company, Whiteboard Technologies Pvt Ltd, has reported falling victim to a ransomware attack. The attacker…

DaVita Inc. Form 8-K | SEC.gov 2025-04-14

Related actor: INTERLOCK

On April 12, 2025, DaVita Inc. (the “Company” or “we”) became aware of a ransomware incident that has encrypted certain elements of our network. Upon discovery, we activated our r…

Black Basta: The Fallen Ransomware Gang That Lives On | WIRED 2025-04-14

Related actor: BlackBasta

The pecking order of ransomware gangs is always shifting and evolving, with the most aggressive and reckless groups netting big payouts from vulnerable targets—but often ultimatel…

Midcap stock in focus after reporting cyberattack on its IT infrastructure - Trade Brains 2025-04-12

According to the latest regulatory filings with the stock exchanges, Nippon Life India Asset Management Limited (NAM India) has reported a cyber-attack on its IT infrastructure th…

Charlton Athletic hit by 'ransomware cyber attack' in August - BBC Sport 2025-04-11

Charlton Athletic were hit by a cyber attack in August which wiped "significant financial data" the club says. However the accounts filed at Companies House carried a disclaime…

Cyber security breaches survey 2025 - GOV.UK 2025-04-11

Whilst the prevalence of cyber crime overall remained static, the prevalence of ransomware among businesses has significantly increased between 2024 and 2025. The estimated percen…

DfE alerted to more than 50 school ransomware attacks in past three years – PublicTechnology 2025-04-10

“However, the department has been notified of 53 ransomware cases across the sector over the last three years,” the minister added, in response to a written parliamentary question…

Notice of Data Security Incident - Gooding County 2025-04-10

This notice is provided on behalf of my client, Gooding County, Idaho (the “County”). On March 25, 2025, the County detected and responded to a ransomware incident impacting its c…

Cyberattack shuts down Oregon DEQ systems, testing through Friday, agency says 2025-04-10

Related actor: Rhysida

SALEM, Ore. (KPTV) - Oregon’s DEQ computer systems will be down through the end of the week following a cyberattack on Wednesday, the agency said. Just before 6 p.m., the agenc…

Industrial tech manufacturer Sensata says ransomware attack is impacting production | The Record from Recorded Future News 2025-04-10

Sensata Technologies, a U.S.-based manufacturer or industrial technologies with operations in about a dozen countries, told federal regulators that a recent ransomware attack disr…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.