Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-05-14 → 2025-05-20 UTC

Choose a report date

Observed events

108

Public claims in the selected week

Data leak indicators

78.7% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Qilin generated the highest visible claim volume this week, representing 13.9% of observed events.

•

78.7% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 8 observed events.

•

5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

6 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2025-05-20 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Qilin

15 events · 9 leak indicators

SAFEPAY

14 events · 14 leak indicators

Akira

11 events · 6 leak indicators

NightSpire

11 events · 11 leak indicators

INC Ransom

10 events · 10 leak indicators

Sarcoma

6 events · 6 leak indicators

Arcus Media

5 events · 0 leak indicators

LeakedData

5 events · 5 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Arcus Media 5 events
World Leaks 3 events
Data Leak 1 event
Embargo 1 event
Morpheus 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States46

Qilin9 events · 7 leak indicators
SAFEPAY7 events · 7 leak indicators
Akira6 events · 5 leak indicators
INC Ransom5 events · 5 leak indicators
Sarcoma4 events · 4 leak indicators
Lynx3 events · 3 leak indicators
PLAY3 events · 3 leak indicators
Blacksuit1 event · 1 leak indicator

Canada7

Qilin2 events · 1 leak indicator
Akira1 event · 0 leak indicators
Gunra1 event · 0 leak indicators
PLAY1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Spain6

Arcus Media2 events · 0 leak indicators
NightSpire2 events · 2 leak indicators
Akira1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Germany5

INC Ransom3 events · 3 leak indicators
SAFEPAY2 events · 2 leak indicators

France4

Qilin2 events · 1 leak indicator
Stormous1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Singapore4

Embargo1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
SAFEPAY1 event · 1 leak indicator

Brazil3

Rhysida2 events · 2 leak indicators
NightSpire1 event · 1 leak indicator

Australia2

Qilin1 event · 0 leak indicators
Sarcoma1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction8

Qilin3 events · 1 leak indicator
SAFEPAY2 events · 2 leak indicators
PLAY1 event · 1 leak indicator
RansomHouse1 event · 0 leak indicators
Sarcoma1 event · 1 leak indicator

Law Practice6

Akira2 events · 2 leak indicators
INC Ransom1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Hospitality5

Stormous2 events · 2 leak indicators
Arcus Media1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator

IT Services and IT Consulting5

Akira2 events · 1 leak indicator
Arcus Media1 event · 0 leak indicators
Medusa1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Accounting4

INTERLOCK1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Sarcoma1 event · 1 leak indicator

Government Administration4

Qilin2 events · 2 leak indicators
Blacksuit1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator

Manufacturing4

IMN Crew1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
SAFEPAY1 event · 1 leak indicator

Real Estate4

INC Ransom1 event · 1 leak indicator
Morpheus1 event · 0 leak indicators
Qilin1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

11-50 employees 34
51-200 employees 25
201-500 employees 13
1,001-5,000 employees 9
2-10 employees 7
501-1,000 employees 6

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
NightSpire	Hospitality	Spain	Data leak	2025-05-20
NightSpire	Wholesale	Austria	Data leak	2025-05-20
Rhysida	Hospitals and Health Care	United States	Data leak	2025-05-20
Kairos	Non-profit Organizations	United States	Data leak	2025-05-20
INTERLOCK	Accounting	United States	Data leak	2025-05-20
Qilin	Manufacturing	United States	Claim only	2025-05-20
Akira	Retail	United States	Data leak	2025-05-20
INC Ransom	Medical Practice	United States	Data leak	2025-05-20
Akira	IT Services and IT Consulting	United States	Data leak	2025-05-20
Akira	IT Services and IT Consulting	Switzerland	Claim only	2025-05-20
Morpheus	Real Estate	United States	Claim only	2025-05-20
RansomHouse	Construction	United States	Claim only	2025-05-20

News and research context

Recent articles from the same time window.

UK supermarket distributor suffers ransomware attack 2025-05-20

A distributor to the UK's major supermarkets has said it is being held to ransom by cyber hackers. Logistics firm Peter Green Chilled supplies supermarkets including Tesco, Sai…

Notice of Data Incident | BRG 2025-05-19

Berkeley Research Group, LLC (“BRG” or “we”) is providing notice of an incident that may have affected protected health information and/or personally identifiable information stor…

Hacker had broad access to Eindhoven University's network for days in January | NL Times 2025-05-19

The hacker who was caught carrying out a cyber attack on the Eindhoven University of Technology (TU/e) in January had undetected and broad access to the university’s network for d…

Legal Aid hack: Names, financial details and criminal histories compromised in cyberattack, Ministry of Justice says | The Independent 2025-05-19

The data, including national insurance numbers, employment status and financial data, was breached earlier this year, according to the Ministry of Justice (MoJ). The cyberattac…

Redcar and Cleveland ransomware: Inside a council under cyber-attack 2025-05-19

Related actor: Conti

Hackers had scrambled Redcar and Cleveland Council's IT systems and would soon demand payment to restore it. The cyber-attack in February 2020 caused chaos, disrupting everythi…

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware - The DFIR Report 2025-05-19

The threat actor first gained entry by exploiting a known vulnerability (CVE-2023-22527) on an internet-facing Confluence server, allowing for remote code execution. Using this a…

Arla factory in Germany hit by cyber incident - Just Food 2025-05-17

An Arla Foods plant in Germany has been affected by a cybersecurity incident, the dairy giant has confirmed. The Lurpak and Castello owner said “suspicious activity” had hit th…

Ransomware gangs increasingly use Skitnet post-exploitation malware 2025-05-16

Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been of…

Ransomware attackers steal comms firm’s customer details 2025-05-16

The company noticed unauthorized meddling within its networks on the eve of Valentine’s Day 2025. According to a breach notification letter Duo Broadband sent to impacted individu…

"Endemic" Ransomware Prompts NHS to Demand Supplier Action on Cybersecurity 2025-05-15

England’s National Health Service (NHS) has urged its suppliers to commit to strong cybersecurity practices amid increased cyber threats to patients and services. The voluntary…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.