Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-04-30 → 2025-05-06 UTC

Choose a report date

Observed events

Public claims in the selected week

Data leak indicators

67.0% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Qilin generated the highest visible claim volume this week, representing 20.5% of observed events.

•

67.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 7 observed events.

•

2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

3 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-05-06 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Qilin

18 events · 11 leak indicators

PLAY

16 events · 16 leak indicators

Brain Cipher

6 events · 0 leak indicators

Akira

5 events · 3 leak indicators

Hunters International

5 events · 1 leak indicator

LockBit 3.0

4 events · 3 leak indicators

Lynx

4 events · 4 leak indicators

Sarcoma

4 events · 3 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Monti 1 event
Orca 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States51

Qilin14 events · 10 leak indicators
PLAY11 events · 11 leak indicators
Akira4 events · 2 leak indicators
Hunters International4 events · 0 leak indicators
LockBit 3.04 events · 3 leak indicators
Medusa3 events · 3 leak indicators
INTERLOCK2 events · 2 leak indicators
Lynx2 events · 2 leak indicators

Canada5

PLAY2 events · 2 leak indicators
INTERLOCK1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Spain4

Brain Cipher2 events · 0 leak indicators
IMN Crew1 event · 1 leak indicator
RansomHouse1 event · 0 leak indicators

Italy3

INC Ransom1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Sarcoma1 event · 0 leak indicators

Japan3

Gunra1 event · 0 leak indicators
Lynx1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Belgium2

RansomHouse1 event · 0 leak indicators
Sarcoma1 event · 1 leak indicator

France2

Qilin1 event · 0 leak indicators
Termite1 event · 1 leak indicator

Germany2

Lynx1 event · 1 leak indicator
RansomHouse1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction7

Akira2 events · 2 leak indicators
Medusa2 events · 2 leak indicators
Hunters International1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Industrial Machinery Manufacturing4

Hunters International1 event · 0 leak indicators
PLAY1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
RansomHouse1 event · 0 leak indicators

IT Services and IT Consulting4

Kill Security1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Skira1 event · 0 leak indicators

Law Practice4

Akira2 events · 1 leak indicator
LockBit 3.01 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Government Administration3

Qilin1 event · 1 leak indicator
RansomHouse1 event · 0 leak indicators
Rhysida1 event · 1 leak indicator

Insurance3

Brain Cipher1 event · 0 leak indicators
LockBit 3.01 event · 0 leak indicators
PLAY1 event · 1 leak indicator

Medical Practice3

Everest1 event · 0 leak indicators
Hunters International1 event · 0 leak indicators
Qilin1 event · 1 leak indicator

Wholesale3

PLAY1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Sarcoma1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 30
11-50 employees 20
201-500 employees 16
1,001-5,000 employees 7
501-1,000 employees 7
2-10 employees 5

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Orca	Transportation, Logistics, Supply Chain and Storage	Austria	Claim only	2025-05-06
Qilin	Law Practice	United States	Data leak	2025-05-06
Qilin	Design Services	United States	Claim only	2025-05-06
Qilin	Construction	United States	Claim only	2025-05-06
Qilin	Hospitals and Health Care	United States	Claim only	2025-05-06
Qilin	Real Estate	United States	Claim only	2025-05-06
LockBit 3.0	Financial Services	United States	Data leak	2025-05-06
Medusa	Individual and Family Services	United States	Data leak	2025-05-06
Medusa	Construction	United States	Data leak	2025-05-06
Everest	Medical Practice	United States	Claim only	2025-05-06
Akira	Law Practice	United States	Claim only	2025-05-06
RansomHouse	Government Administration	Belgium	Claim only	2025-05-06

News and research context

Recent articles from the same time window.

West Lothian schools hit by ransomware cyberattack 2025-05-06

Related actor: INTERLOCK

Schools in West Lothian have been the victim of a suspected criminal ransomware cyberattack. A council spokesperson said the attack had affected its education network and conti…

Legal Aid Agency hit by cyber security incident | UK News | Sky News 2025-05-06

The government agency responsible for overseeing billions of pounds worth of legal funding has been hit by a cyber security incident. The Ministry of Justice (MoJ) said it is w…

Multiple iHeartRadio stations breached in December | The Record from Recorded Future News 2025-05-06

Several radio stations owned by iHeartMedia were breached in December, exposing Social Security numbers, financial information and other personal details. The media conglomerat…

Coweta County Schools becomes latest victim of ransomware attack | FOX 5 Atlanta 2025-05-05

Related actor: Nitrogen

The Coweta County School System experienced an apparent cyberattack on its computer network on Friday evening. The network intrusion is serious and is being investigated by t…

Pressemitteilung: Cyberangriff auf die AWO Gießen erfolgreich abgewehrt 2025-05-05

Gießen, 29. April 2025 – Am Sonntag, den 27. April 2025, wurde die Arbeiterwohlfahrt (AWO) Gießen Ziel eines Cyberangriffs. Dank umfassender Sicherheitsmaßnahmen und funktionieren…

Incidents impacting retailers – recommendations from the NCSC 2025-05-04

The NCSC is working with organisations affected by the recent incidents to understand the nature of the attacks and to minimise the harm done by them, including by providing advic…

Cyberangriff auf die Stadtverwaltung 2025-05-04

Cyberangriff auf die Stadtverwaltung Die Stadtverwaltung Ellwangen ist Ziel eines Cyberangriffs geworden. Am 24.04.2025 wurden Unregelmäßigkeiten in den IT-Systemen festgestell…

How two east Idaho school districts recovered from ransomware attacks and aim to prevent another - East Idaho News 2025-05-04

RIGBY (Idaho Ed News) — Two East Idaho school districts — Jefferson County and American Falls — were recently targeted in ransomware attacks that temporarily disabled their system…

Laboratory Services Cooperative (LSC) Security Incident 2025-05-03

On October 27, 2024, LSC identified suspicious activity within its network. In response, LSC immediately engaged third-party cybersecurity specialists to determine the nature and…

Ransomware Threat Evolution Q1 2025 2025-05-02

Ransomware threat actors continue to target remote access vectors, with virtual private network (VPN) access remaining the most dominant entry point. However, there are some shift…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.