Horizon Behavioral Health (“Horizon”) is writing to share with you that Horizon, like many other organizations around the country, has been the victim of a criminal cybersecurity…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-05-07 → 2025-05-13 UTC
Choose a report date
Observed events
62
Public claims in the selected week
Data leak indicators
46
74.2% of observed events
Active actors
21
Distinct groups with observed activity
Torrent-linked events
3
Events intersecting with torrent intelligence
What changed this week?
•
SAFEPAY generated the highest visible claim volume this week, representing 21.0% of observed events.
•
74.2% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 8 observed events.
•
3 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
3 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
Coverage snapshot
As of 2025-05-13 UTC.
Leak sites observed this week
21
Leak sites online near report date
0
Threat actor profiles updated this week
2
Countries represented this week
18
Sectors represented this week
34
Top active actors
By observed claim volumeSAFEPAY
13 events · 13 leak indicators
PLAY
10 events · 10 leak indicators
Akira
5 events · 3 leak indicators
J Group
5 events · 0 leak indicators
Qilin
5 events · 5 leak indicators
Medusa
3 events · 3 leak indicators
Stormous
3 events · 3 leak indicators
DragonForce
2 events · 2 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Stormous 3 events
- DataVault 1 event
- Kraken 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States29
- PLAY7 events · 7 leak indicators
- Qilin5 events · 5 leak indicators
- Akira3 events · 1 leak indicator
- Medusa3 events · 3 leak indicators
- SAFEPAY3 events · 3 leak indicators
- DragonForce2 events · 2 leak indicators
- CL0P1 event · 1 leak indicator
- Kairos1 event · 0 leak indicators
Canada7
- PLAY3 events · 3 leak indicators
- Akira1 event · 1 leak indicator
- Kraken1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
Germany6
- SAFEPAY5 events · 5 leak indicators
- Everest1 event · 0 leak indicators
Brazil2
- Gunra1 event · 0 leak indicators
- J Group1 event · 0 leak indicators
Italy2
- RALord2 events · 2 leak indicators
Switzerland2
- Leaknet Blog1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Argentina1
- J Group1 event · 0 leak indicators
Austria1
- Akira1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction8
- Akira2 events · 1 leak indicator
- PLAY2 events · 2 leak indicators
- SAFEPAY2 events · 2 leak indicators
- Everest1 event · 0 leak indicators
- Medusa1 event · 1 leak indicator
IT Services and IT Consulting4
- Medusa1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Law Practice4
- Qilin2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- Kairos1 event · 0 leak indicators
Financial Services3
- Akira1 event · 0 leak indicators
- CL0P1 event · 1 leak indicator
- J Group1 event · 0 leak indicators
Food and Beverage Manufacturing3
- PLAY2 events · 2 leak indicators
- Rhysida1 event · 1 leak indicator
Industrial Machinery Manufacturing3
- SAFEPAY2 events · 2 leak indicators
- Kraken1 event · 0 leak indicators
Accounting2
- SAFEPAY2 events · 2 leak indicators
Architecture and Planning2
- Leaknet Blog1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 16
- 51-200 employees 15
- 201-500 employees 9
- 501-1,000 employees 5
- 2-10 employees 4
- 1,001-5,000 employees 3
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| PLAY | Food and Beverage Manufacturing | United States | Data leak | 2025-05-13 |
| Leaknet Blog | Architecture and Planning | Switzerland | Data leak | 2025-05-13 |
| Medusa | IT Services and IT Consulting | United States | Data leak | 2025-05-13 |
| Medusa | Construction | United States | Data leak | 2025-05-13 |
| Akira | Financial Services | United States | Claim only | 2025-05-13 |
| Akira | Construction | United States | Claim only | 2025-05-13 |
| PLAY | Software Development | United States | Data leak | 2025-05-12 |
| PLAY | Construction | Canada | Data leak | 2025-05-12 |
| PLAY | Defense and Space Manufacturing | United States | Data leak | 2025-05-12 |
| PLAY | Construction | United States | Data leak | 2025-05-12 |
| Kairos | Law Practice | United States | Claim only | 2025-05-12 |
| Gunra | Retail | Brazil | Claim only | 2025-05-12 |
News and research context
Recent articles from the same time window.
Marks & Spencer has revealed that the contact details and date of births of some customers has been stolen in the recent cyber attack which continues to disrupt its services.
S…
The Alabama Office of Information Technology is responding to a disruptive cybersecurity “event” after noticing abnormal network activity last week, the office announced Monday.…
Related actor: DoppelPaymer
Moldovan authorities have arrested a 45-year-old man suspected of involvement in a series of ransomware attacks targeting Dutch companies in 2021.
Among the attacks the suspect…
UK cyber insurance claims in 2024 down YOY but still up on earlier years: Marsh - Reinsurance News
2025-05-12
However, on a positive note, ransomware claims in 2024 have declined by 31% compared to 2023. Marsh attributes this decline to the increase in law enforcement activity, stricter g…
Nella notte dell’8 maggio, si è registrata una interruzione dei servizi informatici di Ateneo. A seguito delle operazioni di verifica effettuate già nella notte e proseguite per t…
Global Crossing Airlines Group - SEC.gov
2025-05-09
On May 5, 2025, Global Crossing Airlines Group Inc. (the “Company”) learned of unauthorized activity within its computer networks and systems supporting portions of its business a…
Ransomware operations are using legitimate Kickidler employee monitoring software for reconnaissance, tracking their victims' activity, and harvesting credentials after breaching…
Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned.
Pearson is a UK-based edu…
Related actor: LockBit 3.0
The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.