The DuPage County Sheriff's Office, circuit court and clerk's office have been impacted by what officials called a "cyber incident" early Monday morning.
Officials said the cou…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-04-23 → 2025-04-29 UTC
Choose a report date
Observed events
94
Public claims in the selected week
Data leak indicators
72
76.6% of observed events
Active actors
25
Distinct groups with observed activity
Torrent-linked events
1
Events intersecting with torrent intelligence
What changed this week?
•
Lynx generated the highest visible claim volume this week, representing 13.8% of observed events.
•
76.6% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 6 observed events.
•
2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
1 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
2 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-04-29 UTC.
Leak sites observed this week
25
Leak sites online near report date
2
Threat actor profiles updated this week
7
Countries represented this week
27
Sectors represented this week
54
Top active actors
By observed claim volumeLynx
13 events · 13 leak indicators
PLAY
11 events · 11 leak indicators
Akira
10 events · 1 leak indicator
Qilin
9 events · 3 leak indicators
SAFEPAY
6 events · 6 leak indicators
Hunters International
4 events · 4 leak indicators
NightSpire
4 events · 4 leak indicators
RALord
4 events · 4 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Silent 4 events
- Everest 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States50
- Lynx10 events · 10 leak indicators
- PLAY10 events · 10 leak indicators
- Akira7 events · 1 leak indicator
- Qilin4 events · 2 leak indicators
- SAFEPAY4 events · 4 leak indicators
- Silent3 events · 3 leak indicators
- Blacksuit2 events · 0 leak indicators
- INTERLOCK2 events · 2 leak indicators
Canada7
- INC Ransom1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- RALord1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
- Silent1 event · 1 leak indicator
Italy4
- Gunra1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
United Kingdom3
- Kairos1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Argentina2
- Gunra1 event · 0 leak indicators
- Rhysida1 event · 1 leak indicator
Germany2
- Nitrogen1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Mexico2
- Hunters International1 event · 1 leak indicator
- IMN Crew1 event · 1 leak indicator
Austria1
- Hunters International1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction6
- PLAY3 events · 3 leak indicators
- Lynx1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
Hospitals and Health Care4
- INC Ransom1 event · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
IT Services and IT Consulting4
- NightSpire1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- RALord1 event · 1 leak indicator
Law Practice4
- Akira1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Machinery Manufacturing4
- Akira1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
Truck Transportation4
- IMN Crew1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Aviation and Aerospace Component Manufacturing3
- Akira1 event · 1 leak indicator
- Blacksuit1 event · 0 leak indicators
- Silent1 event · 1 leak indicator
Software Development3
- Crypto241 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- Silent1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 36
- 11-50 employees 24
- 201-500 employees 11
- 501-1,000 employees 7
- 2-10 employees 6
- 1,001-5,000 employees 3
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Termite | Appliances, Electrical, and Electronics Manufacturing | Netherlands | Data leak | 2025-04-29 |
| Lynx | Farming | United States | Data leak | 2025-04-29 |
| Rhysida | Retail | Canada | Data leak | 2025-04-29 |
| PLAY | Manufacturing | United States | Data leak | 2025-04-29 |
| PLAY | Industrial Machinery Manufacturing | United States | Data leak | 2025-04-29 |
| PLAY | Construction | United States | Data leak | 2025-04-29 |
| PLAY | Construction | United States | Data leak | 2025-04-29 |
| PLAY | Transportation, Logistics, Supply Chain and Storage | Germany | Data leak | 2025-04-29 |
| PLAY | Truck Transportation | United States | Data leak | 2025-04-29 |
| Qilin | IT Services and IT Consulting | United States | Claim only | 2025-04-29 |
| RALord | IT Services and IT Consulting | Dominican Republic | Data leak | 2025-04-29 |
| Qilin | Hospitals and Health Care | Canada | Claim only | 2025-04-29 |
News and research context
Recent articles from the same time window.
Related actor: DragonForce
Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider" BleepingComp…
Doctors Hospital thwarts ransomware attack
2025-04-29
Doctors Hospital has confirmed its IT systems were hit by a ransomware attack, but that no patient records had been compromised.
The hospital said IT experts, led by Patrick Tu…
In 2022, the ‘Melissa’ project was launched to strengthen the Netherlands’ digital resilience against ransomware-related crime. This initiative represents a collaboration between…
Governor Albert Bryan Jr. publicly addressed ongoing issues at Governor Juan F. Luis Hospital & Medical Center (JFL) during press briefing on Tuesday, highlighting a cybersecurity…
Related actor: Akira
Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack.
The com…
Nova Scotia Power is responding to a cyber attack that has downed some of their IT systems.
The utility says their IT team is working with third-party cybersecurity experts to…
Die Schweizerische Post ist konfrontiert mit einem Cyberangriff bei der Güterlogistiksparte in Deutschland. Betroffen sind rund 1600 Geschäftskundinnen und -kunden, die Lager- und…
Related actor: Qilin
For nearly two weeks, Western New Mexico University’s website and digital systems have been held hostage by what officials in internal emails have called the efforts of a “foreign…
The Expel threat intel team has seen a spike in a specific type of pre-ransomware activity this week, and we’re writing this up to highlight the tactics and indicators we’ve obser…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.