Trotz umfangreicher Sicherheitsmassnahmen konnte ein Angriff und, dem angeschlossen, ein kurzfristiger Zugriff auf unsere IT-Systeme nicht verhindert werden. Das bedauern wir sehr…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-07-16 → 2025-07-22 UTC
Choose a report date
Observed events
117
Public claims in the selected week
Data leak indicators
99
84.6% of observed events
Active actors
20
Distinct groups with observed activity
Torrent-linked events
7
Events intersecting with torrent intelligence
What changed this week?
•
INC Ransom generated the highest visible claim volume this week, representing 17.1% of observed events.
•
84.6% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Accounting was the most represented sector in this window with 7 observed events.
•
7 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
2 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-07-22 UTC.
Leak sites observed this week
20
Leak sites online near report date
2
Threat actor profiles updated this week
5
Countries represented this week
28
Sectors represented this week
60
Top active actors
By observed claim volumeINC Ransom
20 events · 20 leak indicators
Qilin
17 events · 12 leak indicators
SAFEPAY
15 events · 15 leak indicators
Akira
14 events · 7 leak indicators
World Leaks
9 events · 9 leak indicators
DragonForce
8 events · 8 leak indicators
Cicada3301
5 events · 5 leak indicators
Dire Wolf
4 events · 4 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 daysNo newly active actor families were detected using the 30-day lookback rule.
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States53
- Qilin11 events · 7 leak indicators
- INC Ransom8 events · 8 leak indicators
- Akira6 events · 2 leak indicators
- DragonForce6 events · 6 leak indicators
- World Leaks6 events · 6 leak indicators
- SAFEPAY4 events · 4 leak indicators
- INTERLOCK3 events · 3 leak indicators
- Kawa40963 events · 3 leak indicators
United Kingdom7
- SAFEPAY2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- Arcus Media1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- Kraken1 event · 0 leak indicators
- World Leaks1 event · 1 leak indicator
Canada6
- INC Ransom3 events · 3 leak indicators
- Akira1 event · 1 leak indicator
- Nitrogen1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
France4
- Akira1 event · 0 leak indicators
- Cicada33011 event · 1 leak indicator
- Devman1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Germany4
- Cloak1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Australia3
- INC Ransom2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
Belgium3
- INC Ransom2 events · 2 leak indicators
- World Leaks1 event · 1 leak indicator
Brazil3
- Cicada33012 events · 2 leak indicators
- Akira1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Accounting7
- Qilin2 events · 2 leak indicators
- SAFEPAY2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- Cicada33011 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
Construction6
- DragonForce2 events · 2 leak indicators
- Cicada33011 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Hospitals and Health Care6
- Kawa40962 events · 2 leak indicators
- Arcus Media1 event · 0 leak indicators
- Dire Wolf1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Civil Engineering5
- Akira1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- Nitrogen1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Law Practice5
- Akira1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- World Leaks1 event · 1 leak indicator
Government Administration4
- WALocker2 events · 2 leak indicators
- Devman1 event · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
Industrial Machinery Manufacturing4
- INTERLOCK1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing3
- INC Ransom2 events · 2 leak indicators
- Qilin1 event · 0 leak indicators
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 33
- 11-50 employees 30
- 201-500 employees 16
- 2-10 employees 12
- 1,001-5,000 employees 6
- 10,001+ employees 5
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| SAFEPAY | Engineering Services | Peru | Data leak | 2025-07-22 |
| SAFEPAY | Non-profit Organizations | Curacao | Data leak | 2025-07-22 |
| SAFEPAY | Consumer Services | Paraguay | Data leak | 2025-07-22 |
| SAFEPAY | Civil Engineering | United Kingdom | Data leak | 2025-07-22 |
| SAFEPAY | Manufacturing | Japan | Data leak | 2025-07-22 |
| SAFEPAY | Accounting | United States | Data leak | 2025-07-22 |
| SAFEPAY | Mechanical Or Industrial Engineering | United States | Data leak | 2025-07-22 |
| SAFEPAY | Primary and Secondary Education | United Kingdom | Data leak | 2025-07-22 |
| SAFEPAY | Hospitals and Health Care | United States | Data leak | 2025-07-22 |
| INC Ransom | Automation Machinery Manufacturing | Canada | Data leak | 2025-07-22 |
| Akira | Manufacturing | United States | Data leak | 2025-07-22 |
| Akira | Wholesale | France | Claim only | 2025-07-22 |
News and research context
Recent articles from the same time window.
#StopRansomware: Interlock | CISA
2025-07-22
Related actor: INTERLOCK
The Interlock ransomware variant was first observed in late September 2024, targeting various business, critical infrastructure, and other organizations in North America and Europ…
Stuttgart, 22. Juli 2025 Die Südwestdeutsche Medienholding (SWMH) ist von einem kritischen IT-Sicherheitsvorfall betroffen. Unbefugten Dritten war es kurzfristig gelungen, auf das…
Measures to tackle the threat of ransomware and protect businesses and critical services will be taken forward with industry following public consultation.
Public sector bodies…
Related actor: World Leaks
Dell acknowledged the incident to BleepingComputer, confirming that the threat actor had breached its Customer Solution Centers platform, which is used to demonstrate Dell product…
Related actor: BlackByte
Huntress has spotted a new ransomware variant that goes by the name “Crux”.
Threat actors behind the Crux incidents claim that the ransomware variant is “a part of the BlackByt…
Novabev Group, the Russian maker of Beluga Vodka and other brands, had to stop shipments and temporarily close stores in its WineLab subsidiary after a ransomware attack.
More…
Ransomware in focus: Meet Qilin
2025-07-17
Related actor: Qilin
Qilin is a financially-motivated cybercriminal group first observed in the beginning of July 2022 as Agenda ransomware. The group rebranded as Qilin in September of the same year…
Downloading the Phobos/8Base Decryption Tool
2025-07-17
Related actor: 8BASE
The Japanese Police has developed the tool to decrypt data encrypted by the Phobos/8Base #ransomware. The tool can be downloaded from the NPA's website and is free to use for ever…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.