Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-09-08 → 2025-09-14 UTC

Choose a report date

Observed events

146

Public claims in the selected week

Data leak indicators

54.8% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Gentlemen generated the highest visible claim volume this week, representing 21.9% of observed events.

•

54.8% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 13 observed events.

•

5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

7 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2025-09-14 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Gentlemen

32 events · 8 leak indicators

Qilin

21 events · 12 leak indicators

Akira

17 events · 7 leak indicators

PLAY

16 events · 15 leak indicators

Everest

8 events · 0 leak indicators

Kill Security

8 events · 8 leak indicators

INC Ransom

7 events · 6 leak indicators

RADAR

5 events · 5 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Gentlemen 32 events
RADAR 5 events
Abyss 1 event
Daixin 1 event
MedusaLocker 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States65

PLAY16 events · 15 leak indicators
Akira14 events · 4 leak indicators
Qilin7 events · 5 leak indicators
Kill Security5 events · 5 leak indicators
Gentlemen4 events · 0 leak indicators
SAFEPAY3 events · 3 leak indicators
Everest2 events · 0 leak indicators
Lynx2 events · 0 leak indicators

France9

Gentlemen4 events · 0 leak indicators
Qilin3 events · 2 leak indicators
Everest1 event · 0 leak indicators
RADAR1 event · 1 leak indicator

South Korea8

Qilin7 events · 2 leak indicators
Gunra1 event · 0 leak indicators

Canada6

Akira1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
Nitrogen1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

India4

Gentlemen3 events · 0 leak indicators
Yurei1 event · 0 leak indicators

Italy4

Everest4 events · 0 leak indicators

Spain4

BlackNevas1 event · 0 leak indicators
Gentlemen1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Lynx1 event · 0 leak indicators

Thailand4

Gentlemen2 events · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Kill Security1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction13

PLAY4 events · 4 leak indicators
Gentlemen3 events · 1 leak indicator
Qilin3 events · 2 leak indicators
Akira2 events · 1 leak indicator
Yurei1 event · 0 leak indicators

Financial Services9

Gentlemen2 events · 1 leak indicator
Qilin2 events · 1 leak indicator
Everest1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Kill Security1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
RADAR1 event · 1 leak indicator

Investment Management5

Qilin5 events · 1 leak indicator

Machinery Manufacturing5

Akira1 event · 1 leak indicator
Gentlemen1 event · 0 leak indicators
Gunra1 event · 0 leak indicators
INC Ransom1 event · 0 leak indicators
PLAY1 event · 1 leak indicator

Insurance4

Gentlemen2 events · 0 leak indicators
Akira1 event · 0 leak indicators
Space Bears1 event · 1 leak indicator

IT Services and IT Consulting4

Akira1 event · 1 leak indicator
Gentlemen1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Law Practice4

Everest2 events · 0 leak indicators
Akira1 event · 0 leak indicators
Qilin1 event · 1 leak indicator

Higher Education3

Kill Security2 events · 2 leak indicators
Gentlemen1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 44
11-50 employees 36
201-500 employees 20
2-10 employees 15
501-1,000 employees 11
1,001-5,000 employees 7

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Qilin	Financial Services	South Korea	Data leak	2025-09-14
Qilin	Investment Management	South Korea	Claim only	2025-09-14
Qilin	Financial Services	South Korea	Claim only	2025-09-14
Qilin	Investment Management	South Korea	Claim only	2025-09-14
Qilin	Investment Management	South Korea	Data leak	2025-09-14
Qilin	Investment Management	South Korea	Claim only	2025-09-14
Qilin	Investment Management	South Korea	Claim only	2025-09-14
Everest	Legal Services	Italy	Claim only	2025-09-14
Everest	Law Practice	Italy	Claim only	2025-09-14
Everest	Law Practice	Italy	Claim only	2025-09-14
MedusaLocker	Oil and Gas	United States	Claim only	2025-09-14
Everest	Personal Care Product Manufacturing	France	Claim only	2025-09-14

News and research context

Recent articles from the same time window.

Ransomware attack cancels school for several days at Texas district 2025-09-14

Related actor: Qilin

Due to the threat, Uvalde CISD will be closed from Monday, September 15, to Thursday, September 18. The closure days will be swapped with previously scheduled non-working days wit…

Yurei & The Ghost of Open Source Ransomware 2025-09-12

Related actor: Yurei

Check Point Research discovered a new ransomware group on September 5. The group calls themselves Yurei (a sort of spirit in Japanese folklore), and initially listed one victim, a…

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass 2025-09-12

Related actor: HybridPetya

ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya/NotPetya malware, adding the capability of compromising…

Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis - ASEC 2025-09-12

Related actor: BlackNevas

The BlackNevas ransomware group first appeared in November 2024 and has since been continuously attacking various businesses and critical infrastructure organizations in Asia, Nor…

Wyden calls on FTC to investigate Microsoft for ‘gross cybersecurity negligence’ in protecting critical infrastructure | CyberScoop 2025-09-11

Sen. Ron Wyden, D-Ore., on Wednesday called for the Federal Trade Commission to investigate Microsoft, saying the company’s default configurations are leaving customers vulnerable…

Akira Ransomware Group Utilizing SonicWall Devices for Initial Access 2025-09-11

Related actor: Akira

Last month, an Akira ransomware campaign kicked off targeting SonicWall devices. SonicWall followed up with a security advisory. Initially, this was believed to be a new emerging…

Blackpool Credit Union suffers cyber attack with customer information believed to be shared on dark web 2025-09-10

Blackpool Credit Union has been the victim of a recent cyber attack, with personal information of members believed to have been compromised and shared on the dark web. The cred…

New York Blood Center Enterprises discloses data breach | TechTarget 2025-09-10

New York Blood Center Enterprises, or NYBCe, notified an undisclosed number of impacted individuals of a data breach stemming from a January 2025 ransomware attack that disrupted…

Statement on Cyber Incident | JLR Media Newsroom 2025-09-10

Since we became aware of the cyber incident, we have been working around the clock, alongside third‑party cybersecurity specialists, to restart our global applications in a contro…

London North Eastern Railway urges customers to be vigilant after passenger details accessed in cyber-attack | Rail industry | The Guardian 2025-09-10

Data breach at third-party supplier involves contact details and some information about previous journeys. The state-owned operator, which runs intercity services on the east c…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.