Insikt Group has observed multiple threat actors using this malicious TDS, including:
Rhysida Ransomware: A sophisticated ransomware-as-a-service operation notable for extortin…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-04-16 → 2025-04-22 UTC
Choose a report date
Observed events
112
Public claims in the selected week
Data leak indicators
84
75.0% of observed events
Active actors
27
Distinct groups with observed activity
Torrent-linked events
3
Events intersecting with torrent intelligence
What changed this week?
•
Akira generated the highest visible claim volume this week, representing 13.4% of observed events.
•
75.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Law Practice was the most represented sector in this window with 8 observed events.
•
5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
3 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-04-22 UTC.
Leak sites observed this week
27
Leak sites online near report date
1
Threat actor profiles updated this week
0
Countries represented this week
28
Sectors represented this week
54
Top active actors
By observed claim volumeAkira
15 events · 3 leak indicators
SAFEPAY
14 events · 14 leak indicators
Qilin
13 events · 11 leak indicators
Lynx
8 events · 8 leak indicators
PLAY
8 events · 8 leak indicators
Sarcoma
7 events · 7 leak indicators
LockBit 3.0
5 events · 5 leak indicators
NightSpire
5 events · 3 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Gunra 3 events
- Weyhro 3 events
- Blackout 1 event
- Money Message 1 event
- Skira 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States42
- Qilin8 events · 6 leak indicators
- Akira7 events · 1 leak indicator
- Lynx7 events · 7 leak indicators
- PLAY6 events · 6 leak indicators
- NightSpire3 events · 1 leak indicator
- DragonForce2 events · 2 leak indicators
- Sarcoma2 events · 2 leak indicators
- Weyhro2 events · 0 leak indicators
Germany15
- SAFEPAY11 events · 11 leak indicators
- Akira2 events · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Canada7
- Medusa2 events · 1 leak indicator
- PLAY2 events · 2 leak indicators
- Qilin2 events · 2 leak indicators
- Underground1 event · 0 leak indicators
Brazil6
- Akira1 event · 0 leak indicators
- Cicada33011 event · 1 leak indicator
- LockBit 3.01 event · 1 leak indicator
- RALord1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Italy6
- Akira2 events · 0 leak indicators
- LockBit 3.01 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
United Kingdom6
- Kairos1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- RansomHouse1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
- Weyhro1 event · 0 leak indicators
Taiwan3
- NightSpire1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
Belgium2
- Hunters International1 event · 1 leak indicator
- RansomHouse1 event · 0 leak indicators
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Law Practice8
- Lynx4 events · 4 leak indicators
- Akira1 event · 0 leak indicators
- Medusa1 event · 1 leak indicator
- NightSpire1 event · 0 leak indicators
- Weyhro1 event · 0 leak indicators
Transportation, Logistics, Supply Chain and Storage8
- SAFEPAY2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- Cicada33011 event · 1 leak indicator
- Hunters International1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- RansomHouse1 event · 0 leak indicators
- Sarcoma1 event · 1 leak indicator
Construction7
- Akira3 events · 1 leak indicator
- Lynx1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Government Administration5
- SAFEPAY2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
Hospitals and Health Care5
- Gunra1 event · 0 leak indicators
- Hunters International1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Manufacturing5
- Blackout1 event · 1 leak indicator
- LockBit 3.01 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Financial Services4
- NightSpire1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Real Estate4
- Gunra1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
- Skira1 event · 0 leak indicators
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 33
- 51-200 employees 24
- 201-500 employees 16
- 2-10 employees 9
- 1,001-5,000 employees 7
- 501-1,000 employees 7
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Medusa | IT Services and IT Consulting | United States | Data leak | 2025-04-22 |
| PLAY | Recreational Facilities | Canada | Data leak | 2025-04-22 |
| PLAY | Environmental Services | United States | Data leak | 2025-04-22 |
| PLAY | Consumer Services | United States | Data leak | 2025-04-22 |
| PLAY | Software Development | United States | Data leak | 2025-04-22 |
| PLAY | Food and Beverage Services | United States | Data leak | 2025-04-22 |
| PLAY | Security and Investigations | United States | Data leak | 2025-04-22 |
| PLAY | Financial Services | Canada | Data leak | 2025-04-22 |
| Lynx | Law Practice | United States | Data leak | 2025-04-22 |
| Akira | Machinery Manufacturing | United States | Data leak | 2025-04-22 |
| INC Ransom | Hospitals and Health Care | United States | Data leak | 2025-04-22 |
| Lynx | Transportation, Logistics, Supply Chain and Storage | United Kingdom | Data leak | 2025-04-22 |
News and research context
Recent articles from the same time window.
South Korea's largest mobile operator, SK Telecom, is warning that a malware infection allowed threat actors to access sensitive USIM-related information for customers.
SK Tele…
According to Forrester’s 2024 Security Survey, 25% of CISOs cite preventing and protecting against ransomware as a top strategic priority for their organization. To do this, secur…
Das Westschweizer Röntgennetzwerk 3R (Réseau Radiologique Romand) ist Opfer eines Cyberangriffs geworden. Es ruft seine Kunden auf, sich vor verdächtigen Kontakten zu schützen.…
City of Abilene suffers cyber attack
2025-04-21
Related actor: Qilin
ABILENE, Texas — A weekend cyber attack on City of Abilene computer servers take some online services offline.
According to the city, officials received reports of unresponsive…
The dangers of Ransomware as a Service
2025-04-21
One of the worst things a trucking company can do is assume it’s safe from a cyberattack because it’s a small fleet. Many people think hackers are after the bigger organizations b…
Long Beach, CA –The City of Long Beach announced today updates to the ongoing investigation of the network security incident that occurred on or about Nov. 14, 2023. The incident,…
Legends International, the large sports venue support company with reportedly $1.7 billion in sales, earlier this week sent out letters to some customers and employees that it was…
On April 18, 2025, Tokai University in Hiratsuka City, Kanagawa Prefecture, reported a significant cyberattack that has rendered many of its systems unusable. This incident has pr…
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Guam Memorial Hospital Authority (GMHA), a public hospital…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.