Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-08-25 → 2025-08-31 UTC

Choose a report date

Observed events

125

Public claims in the selected week

Data leak indicators

76.0% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

SAFEPAY generated the highest visible claim volume this week, representing 16.0% of observed events.

•

76.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 7 observed events.

•

6 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

2 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

2 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-08-31 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

SAFEPAY

20 events · 20 leak indicators

Cephalus

19 events · 8 leak indicators

Qilin

18 events · 10 leak indicators

INC Ransom

10 events · 10 leak indicators

DragonForce

8 events · 8 leak indicators

Akira

5 events · 2 leak indicators

Dire Wolf

5 events · 4 leak indicators

Obscura

5 events · 5 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Cephalus 19 events
Obscura 5 events
Desolator 2 events
Chaos 1 event
Metaencryptor 1 event
SECUROTROP 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States64

Qilin15 events · 8 leak indicators
Cephalus13 events · 7 leak indicators
SAFEPAY6 events · 6 leak indicators
DragonForce5 events · 5 leak indicators
Akira4 events · 1 leak indicator
INC Ransom4 events · 4 leak indicators
PLAY4 events · 4 leak indicators
INTERLOCK2 events · 2 leak indicators

Canada11

INC Ransom3 events · 3 leak indicators
SAFEPAY3 events · 3 leak indicators
Akira1 event · 1 leak indicator
Anubis1 event · 0 leak indicators
Metaencryptor1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Germany10

SAFEPAY7 events · 7 leak indicators
DragonForce1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
Obscura1 event · 1 leak indicator

United Kingdom7

Cephalus2 events · 0 leak indicators
Dire Wolf1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
INTERLOCK1 event · 1 leak indicator
Lynx1 event · 0 leak indicators
SAFEPAY1 event · 1 leak indicator

Australia4

Dire Wolf1 event · 1 leak indicator
DragonForce1 event · 1 leak indicator
INTERLOCK1 event · 1 leak indicator
Lynx1 event · 1 leak indicator

Mexico3

INC Ransom1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Ireland2

Cephalus1 event · 0 leak indicators
Obscura1 event · 1 leak indicator

Italy2

SAFEPAY1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction7

Qilin4 events · 2 leak indicators
Akira1 event · 0 leak indicators
Desolator1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Law Practice6

Cephalus3 events · 2 leak indicators
PLAY2 events · 2 leak indicators
Dire Wolf1 event · 1 leak indicator

Wholesale Building Materials5

DragonForce2 events · 2 leak indicators
INTERLOCK1 event · 1 leak indicator
Obscura1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Financial Services4

INC Ransom2 events · 2 leak indicators
Cephalus1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Hospitals and Health Care4

Cephalus3 events · 1 leak indicator
Cloak1 event · 0 leak indicators

IT Services and IT Consulting4

Qilin2 events · 2 leak indicators
Cephalus1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Manufacturing4

Dire Wolf2 events · 1 leak indicator
DragonForce1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator

Real Estate4

DragonForce1 event · 1 leak indicator
Obscura1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 43
11-50 employees 34
201-500 employees 13
2-10 employees 12
501-1,000 employees 9
1,001-5,000 employees 2

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Desolator	Software Development	Vietnam	Data leak	2025-08-31
Qilin	Oil and Gas	United States	Claim only	2025-08-30
Qilin	IT Services and IT Consulting	Mexico	Data leak	2025-08-30
Qilin	Higher Education	Spain	Data leak	2025-08-30
SAFEPAY	Real Estate	Canada	Data leak	2025-08-30
DragonForce	Wholesale Building Materials	United States	Data leak	2025-08-30
DragonForce	Manufacturing	Germany	Data leak	2025-08-30
DragonForce	Pharmaceutical Manufacturing	Australia	Data leak	2025-08-30
DragonForce	Hospitality	United States	Data leak	2025-08-30
DragonForce	Wholesale Building Materials	United States	Data leak	2025-08-30
DragonForce	Telecommunications	United States	Data leak	2025-08-30
Obscura	Real Estate	Egypt	Data leak	2025-08-30

News and research context

Recent articles from the same time window.

Ransomware gang takedowns causing explosion of new, smaller groups | The Record from Recorded Future News 2025-08-29

The ransomware ecosystem continues to splinter, with new gangs proliferating in the wake of law enforcement takedowns that have scattered affiliates and prompted criminal rebrands…

Sliding into your DMs: Abusing Microsoft Teams for Malware Delivery 2025-08-29

In recent months, we have observed a growing number of campaigns abusing Microsoft Teams to deliver malicious payloads. These attacks typically involve direct messages or calls or…

eSentire | Threat Actors Deploy Sinobi Ransomware via Compromised… 2025-08-29

Related actor: Sinobi

Attackers initiated their campaign by leveraging compromised credentials from a managed service provider’s (MSP) SonicWall SSL VPN account, which had over-privileged domain admini…

Lycoming County hit by ransomware attack | wnep.com 2025-08-29

An investigation is underway after a ransomware attack in Lycoming County. County officials say ransomware was detected on their computer system on August 12. Investigators late…

Cybersecurity Incident – PPL’s Response and Current Status 2025-08-29

Related actor: Blue Locker

Pakistan Petroleum Limited (PPL) recently identified a cybersecurity incident involving a ransomware intrusion targeting parts of its IT infrastructure. The event was detected on…

Cyber-attack on UK DBS contractor affects people in Guernsey 2025-08-28

A personal data breach at a Disclosure and Barring Service (DBS) contractor has affected some people in Guernsey, officials have said. The Office of the Data Protection Authori…

Intradev cyber attack: SCR teacher data may be 'compromised' 2025-08-28

Single Central Record, also known as Online SCR, has written to its customers to inform them it has been notified by its software supplier Intradev Limited of a data breach. Sc…

South Korea agency fines SK Telecom $97 million over major data leak 2025-08-28

SEOUL, Aug 28 (Reuters) - South Korea's SK Telecom (017670.KS), opens new tab was fined on Thursday about 134 billion won ($96.53 million) after the country's largest mobile carri…

Office Of The Registrar General Hit By Cyber Attack | RJR News - Jamaican News Online 2025-08-28

The Office of the Registrar General (ORG), formerly Registrar General's Department, has been hit by a cyber attack, which it says was an attempt to disrupt systems and gain access…

Storm-0501’s evolving techniques lead to cloud-based ransomware | Microsoft Security Blog 2025-08-28

Related actor: Storm-0501

Microsoft Threat Intelligence has observed financially motivated threat actor Storm-0501 continuously evolving their campaigns to achieve sharpened focus on cloud-based tactics, t…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.