Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-06-25 → 2025-07-01 UTC

Choose a report date

Observed events

106

Public claims in the selected week

Data leak indicators

74.5% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Qilin generated the highest visible claim volume this week, representing 26.4% of observed events.

•

74.5% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 12 observed events.

•

5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

5 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2025-07-01 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Qilin

28 events · 18 leak indicators

Akira

10 events · 6 leak indicators

PLAY

10 events · 10 leak indicators

World Leaks

9 events · 8 leak indicators

Kraken

8 events · 0 leak indicators

Kawa4096

6 events · 6 leak indicators

DragonForce

4 events · 3 leak indicators

INC Ransom

4 events · 4 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Kraken 8 events
Kawa4096 6 events
CL0P 1 event
Dunghill Leak 1 event
Underground 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States56

Qilin17 events · 13 leak indicators
Akira7 events · 3 leak indicators
PLAY7 events · 7 leak indicators
DragonForce4 events · 3 leak indicators
Kawa40963 events · 3 leak indicators
World Leaks3 events · 3 leak indicators
INC Ransom2 events · 2 leak indicators
INTERLOCK2 events · 2 leak indicators

Germany5

Qilin2 events · 2 leak indicators
Kawa40961 event · 1 leak indicator
Rhysida1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Spain5

Kraken3 events · 0 leak indicators
Qilin1 event · 0 leak indicators
RALord1 event · 1 leak indicator

Canada4

PLAY2 events · 2 leak indicators
Akira1 event · 1 leak indicator
Dunghill Leak1 event · 1 leak indicator

Thailand4

Data Leak1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator
PLAY1 event · 1 leak indicator

India3

World Leaks3 events · 2 leak indicators

Italy3

Akira2 events · 2 leak indicators
World Leaks1 event · 1 leak indicator

United Kingdom3

Qilin3 events · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction12

Qilin3 events · 2 leak indicators
Akira2 events · 0 leak indicators
SAFEPAY2 events · 2 leak indicators
DragonForce1 event · 1 leak indicator
Kawa40961 event · 1 leak indicator
NightSpire1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

IT Services and IT Consulting7

World Leaks4 events · 3 leak indicators
Data Leak1 event · 1 leak indicator
Kraken1 event · 0 leak indicators
RALord1 event · 1 leak indicator

Government Administration5

INC Ransom3 events · 3 leak indicators
PLAY1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Financial Services4

Qilin2 events · 1 leak indicator
Akira1 event · 1 leak indicator
Kraken1 event · 0 leak indicators

Medical Practice4

INC Ransom1 event · 1 leak indicator
Kairos1 event · 1 leak indicator
Medusa1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Telecommunications4

DragonForce1 event · 0 leak indicators
PLAY1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
World Leaks1 event · 1 leak indicator

Business Consulting and Services3

Akira2 events · 2 leak indicators
Global1 event · 1 leak indicator

Chemical Manufacturing3

Lynx1 event · 1 leak indicator
Underground1 event · 0 leak indicators
World Leaks1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 35
11-50 employees 23
201-500 employees 13
2-10 employees 9
501-1,000 employees 9
1,001-5,000 employees 6

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
SAFEPAY	Non-profit Organization Management	United States	Data leak	2025-07-01
SAFEPAY	Construction	Germany	Data leak	2025-07-01
SAFEPAY	Construction	United States	Data leak	2025-07-01
World Leaks	IT Services and IT Consulting	United States	Data leak	2025-07-01
Qilin	Industrial Machinery Manufacturing	United Kingdom	Data leak	2025-07-01
Qilin	Retail	United States	Data leak	2025-07-01
Qilin	Financial Services	United States	Data leak	2025-07-01
Qilin	Retail	Poland	Data leak	2025-07-01
Akira	Construction	United States	Claim only	2025-07-01
Qilin	Medical Device	United States	Data leak	2025-07-01
Qilin	Construction	France	Claim only	2025-07-01
Kawa4096	Security and Investigations	Japan	Data leak	2025-07-01

News and research context

Recent articles from the same time window.

Aeza Group sanctioned for hosting ransomware, infostealer servers 2025-07-01

Related actor: BianLian

The U.S. Department of the Treasury has sanctioned Russian hosting company Aeza Group and four operators for allegedly acting as a bulletproof hosting company for ransomware gangs…

Notice of Data Security Incident 2025-07-01

On December 27, 2024, we learned that a computer virus was used to lock access to some files stored on our computer network. In response, we securely restored our systems and took…

Pembroke hospital experiencing delays after cybersecurity incident | Pembroke Observer 2025-06-30

The Pembroke Regional Hospital (PRH) is currently experiencing service delays and has had to cancel certain appointments and procedures as a result of a cybersecurity incident tha…

Cybervorfall bei Tradersplace | heise online 2025-06-30

Bei dem Wertpapierinstitut Tradersplace.de gab es einen "Cybercrimevorfall", wie das Unternehmen gegenüber heise online bestätigt. Betroffene Kunden werden offenbar mittels E-Mail…

DCACF Data Incident Settlement: Claim $50 up to $5,000 2025-06-30

If you received a written notice from D.C. & Associates of Central Florida, P.A. (DCACF) about a data incident on or around July 26, 2023, you may be eligible to claim up to $5,00…

New e-learning workshop on Countering Ransomware Financing is launched 2025-06-29

The interactive module is designed to help reporting entities, regulators and public sector professionals better understand the flow of illicit funds obtained from ransomware atta…

FBI, cybersecurity firms say a prolific hacking crew is now targeting airlines and the transportation sector | TechCrunch 2025-06-28

The FBI and cybersecurity firms are warning that the prolific hacking group known as Scattered Spider is now targeting airlines and the transportation sector. In a brief statem…

Truro secondary school closed over cyber incident 2025-06-28

A secondary school in Cornwall will be closed for two days next week due to a "cyber incident". Richard Lander School in Truro said on Facebook an issue had affected its IT sys…

Hawaiian Airlines hit by cyber attack 2025-06-27

WASHINGTON (Reuters) - Hawaiian Airlines said on Thursday that some of its IT systems were disrupted by a hack, adding its flights were operating as scheduled. In a statement,…

Green River City Computer Systems Crippled by Ransomware 2025-06-26

The City of Green River is dealing with a ransomware situation that has impacted its computer systems. Chris Meats, the city’s finance director, confirmed to SweetwaterNOW the…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.