Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-09-03 → 2025-09-09 UTC

Choose a report date

Observed events

113

Public claims in the selected week

Data leak indicators

61.9% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Lynx generated the highest visible claim volume this week, representing 15.0% of observed events.

•

61.9% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 10 observed events.

•

5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

8 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2025-09-09 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Lynx

17 events · 1 leak indicator

PLAY

16 events · 15 leak indicators

Akira

14 events · 8 leak indicators

Qilin

13 events · 8 leak indicators

INC Ransom

11 events · 11 leak indicators

Kill Security

8 events · 8 leak indicators

Everest

5 events · 0 leak indicators

PEAR

4 events · 3 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

MyData 3 events
Yurei 3 events
LeakedData 2 events
Cicada3301 1 event
RALord 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States66

PLAY16 events · 15 leak indicators
Akira10 events · 5 leak indicators
Lynx10 events · 1 leak indicator
INC Ransom7 events · 7 leak indicators
Qilin7 events · 5 leak indicators
PEAR4 events · 3 leak indicators
Kill Security3 events · 3 leak indicators
Everest2 events · 0 leak indicators

Germany5

Lynx2 events · 0 leak indicators
Everest1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Canada4

Lynx2 events · 0 leak indicators
Akira1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator

India4

Akira1 event · 0 leak indicators
Devman1 event · 1 leak indicator
RALord1 event · 1 leak indicator
Yurei1 event · 0 leak indicators

Spain4

BlackNevas1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Lynx1 event · 0 leak indicators
Qilin1 event · 1 leak indicator

Colombia2

Kill Security2 events · 2 leak indicators

Peru2

Kill Security1 event · 1 leak indicator
Lynx1 event · 0 leak indicators

Puerto Rico2

DragonForce1 event · 1 leak indicator
MyData1 event · 0 leak indicators

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction10

PLAY4 events · 4 leak indicators
Lynx2 events · 0 leak indicators
Akira1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Yurei1 event · 0 leak indicators

Appliances, Electrical, and Electronics Manufacturing5

Akira1 event · 1 leak indicator
Dire Wolf1 event · 1 leak indicator
Gunra1 event · 0 leak indicators
Lynx1 event · 0 leak indicators
Qilin1 event · 1 leak indicator

Law Practice5

LeakedData2 events · 2 leak indicators
INC Ransom1 event · 1 leak indicator
PEAR1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Software Development5

Kill Security2 events · 2 leak indicators
Akira1 event · 1 leak indicator
MyData1 event · 0 leak indicators
Qilin1 event · 0 leak indicators

Industrial Machinery Manufacturing4

INC Ransom1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Warlock1 event · 1 leak indicator

Oil and Gas4

Lynx1 event · 0 leak indicators
MyData1 event · 0 leak indicators
PLAY1 event · 1 leak indicator
SECUROTROP1 event · 1 leak indicator

Chemical Manufacturing3

Akira1 event · 0 leak indicators
Devman1 event · 1 leak indicator
Medusa1 event · 1 leak indicator

Civil Engineering3

INC Ransom2 events · 2 leak indicators
DragonForce1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 41
11-50 employees 27
501-1,000 employees 12
1,001-5,000 employees 9
201-500 employees 9
2-10 employees 5

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
PLAY	Building Materials	United States	Data leak	2025-09-09
PLAY	Airlines and Aviation	United States	Data leak	2025-09-09
PLAY	Transportation, Logistics, Supply Chain and Storage	United States	Data leak	2025-09-09
PLAY	Construction	United States	Data leak	2025-09-09
PLAY	Technology, Information and Internet	United States	Data leak	2025-09-09
PLAY	Construction	United States	Data leak	2025-09-09
PLAY	Construction	United States	Data leak	2025-09-09
PLAY	Industrial Machinery Manufacturing	United States	Data leak	2025-09-09
PLAY	Construction	United States	Data leak	2025-09-09
PLAY	Financial Services	United States	Data leak	2025-09-09
PLAY	Machinery Manufacturing	United States	Data leak	2025-09-09
PLAY	Consumer Services	United States	Data leak	2025-09-09

News and research context

Recent articles from the same time window.

Data privacy and ransomware shape ANZ cyber landscape | Insurance Business New Zealand 2025-09-09

The sectors most frequently targeted included healthcare, financial services, education, and critical infrastructure, highlighting the broader implications for both economic and n…

SafePay Ransomware: How a Non-RaaS Group Executes Rapid Fire Attacks 2025-09-09

Related actor: SAFEPAY

Ransomware groups continue to evolve their tactics, but few have made as sharp an impact in 2025 as SafePay. Once a lesser-known player, the group has surged into prominence by qu…

Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response 2025-09-09

Over the past two and a half years (January 2023 through June 2025), Cisco Talos Incident Response (Talos IR) has responded to numerous engagements that we classified as pre-ranso…

Uncovering ALVIVA HOLDING: Links to Russian Shell Companies and Cybercrime – THE RAVEN FILE 2025-09-09

Related actor: CL0P

This is an Investigative Report on how the most malicious hosting provider is linked to a Shell Company registered in Seychelles. This article will not cover Ransomware Analysis,…

Examining the activities and careers of ransomware criminal groups 2025-09-08

Ransomware has emerged as one of the most significant cybercrime threats in the contemporary era. This malicious software employs cryptoviral techniques to encrypt victims’ data o…

An Important Security Update For Our Clients | Wealthsimple 2025-09-07

On August 30th, Wealthsimple detected a data security incident. All accounts remain secure, and no funds were accessed or stolen. We acted quickly and in a few hours the issue was…

RTL Today - Cyber attack: Loterie Nationale reports data breach 2025-09-06

A subcontractor of the National Lottery (Loterie Nationale) has been the victim of a cyber attack, resulting in stolen data. Customer data such as names, addresses, phone numbe…

The crazy, true story behind the first AI-powered ransomware • The Register 2025-09-06

Related actor: PromptLock

It all started as an idea for a research paper. Within a week, however, it nearly set the security industry on fire over what was believed to be the first-ever AI-powered rans…

Rhysida: Evading Detection, One Service at a Time 2025-09-05

Related actor: Rhysida

In a case observed by At-Bay, a user at an organization fell victim to a tactic known as Search Engine Optimization (SEO) poisoning and downloaded a trojanized version of Putty.ex…

Obscura, an Obscure New Ransomware Variant | Huntress 2025-09-03

Related actor: Obscura

On 29 August 2025, Huntress analysts encountered a previously unseen ransomware variant called “Obscura.” This name was taken from the ransom note (README_Obscura.txt), which also…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.