Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-09-10 → 2025-09-16 UTC

Choose a report date

Observed events

165

Public claims in the selected week

Data leak indicators

60.0% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Gentlemen generated the highest visible claim volume this week, representing 20.0% of observed events.

•

60.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Financial Services was the most represented sector in this window with 8 observed events.

•

8 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

3 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-09-16 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Gentlemen

33 events · 8 leak indicators

Qilin

23 events · 15 leak indicators

Akira

12 events · 3 leak indicators

PLAY

12 events · 12 leak indicators

INC Ransom

11 events · 10 leak indicators

Kill Security

9 events · 9 leak indicators

RADAR

7 events · 7 leak indicators

Warlock

7 events · 4 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Gentlemen 33 events
RADAR 7 events
BlackShrantac 4 events
LunaLock 2 events
Abyss 1 event
Brain Cipher 1 event
Daixin 1 event
IMN Crew 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States66

Akira12 events · 3 leak indicators
PLAY11 events · 11 leak indicators
Qilin8 events · 6 leak indicators
INC Ransom5 events · 5 leak indicators
Gentlemen4 events · 0 leak indicators
Kill Security4 events · 4 leak indicators
PEAR3 events · 3 leak indicators
SAFEPAY3 events · 3 leak indicators

South Korea11

Qilin10 events · 5 leak indicators
Gunra1 event · 0 leak indicators

France8

Gentlemen4 events · 0 leak indicators
Qilin2 events · 2 leak indicators
Everest1 event · 0 leak indicators
RADAR1 event · 1 leak indicator

Canada6

Lynx1 event · 1 leak indicator
Nitrogen1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Hong Kong4

Devman1 event · 1 leak indicator
DragonForce1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
LunaLock1 event · 1 leak indicator

India4

Gentlemen3 events · 0 leak indicators
BlackShrantac1 event · 1 leak indicator

Italy4

Everest4 events · 0 leak indicators

Netherlands4

IMN Crew1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
Warlock1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Financial Services8

Gentlemen2 events · 1 leak indicator
Qilin2 events · 1 leak indicator
RADAR2 events · 2 leak indicators
INC Ransom1 event · 1 leak indicator
Kill Security1 event · 1 leak indicator

Investment Management8

Qilin8 events · 4 leak indicators

Construction6

Gentlemen3 events · 1 leak indicator
Qilin2 events · 2 leak indicators
Akira1 event · 0 leak indicators

Insurance6

Gentlemen2 events · 0 leak indicators
Akira1 event · 0 leak indicators
PLAY1 event · 1 leak indicator
Space Bears1 event · 1 leak indicator
Warlock1 event · 0 leak indicators

Truck Transportation6

Qilin2 events · 1 leak indicator
Akira1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
Metaencryptor1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator

IT Services and IT Consulting5

Akira1 event · 1 leak indicator
Gentlemen1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
PEAR1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Business Consulting and Services4

INC Ransom2 events · 2 leak indicators
Arcus Media1 event · 0 leak indicators
PEAR1 event · 1 leak indicator

Food and Beverage Manufacturing4

BlackShrantac1 event · 1 leak indicator
Gentlemen1 event · 0 leak indicators
PLAY1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 46
11-50 employees 33
201-500 employees 24
2-10 employees 19
501-1,000 employees 12
1,001-5,000 employees 8

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Arcus Media	Technology, Information and Media	Brazil	Claim only	2025-09-16
MyData	Utilities	Mexico	Claim only	2025-09-16
Kairos	Legal Services	Sweden	Data leak	2025-09-16
Kairos	Real Estate	Australia	Data leak	2025-09-16
BlackShrantac	Food and Beverage Manufacturing	Turkey	Data leak	2025-09-16
BlackShrantac	Machinery Manufacturing	India	Data leak	2025-09-16
Brain Cipher	Hospitals and Health Care	United States	Claim only	2025-09-16
IMN Crew	Furniture and Home Furnishings Manufacturing	Netherlands	Data leak	2025-09-16
DragonForce	Renewable Energy Power Generation	Hong Kong	Data leak	2025-09-16
Beast	Medical Practice	United States	Claim only	2025-09-16
Kill Security	Medical Practice	Saudi Arabia	Data leak	2025-09-16
Sarcoma	Retail Apparel and Fashion	Germany	Data leak	2025-09-16

News and research context

Recent articles from the same time window.

Town of Waxhaw Impacted by Cybersecurity Incident 2025-09-15

The Town of Waxhaw has unfortunately become the victim of a cybercriminal attack. Early Friday morning, September 12, 2025, we discovered irregularities in our systems and our IT…

Bragg Gaming Group Secures New Debt Facilities and Provides Update on Cyber Breach 2025-09-15

The Company is also providing today an update on its previously announced cybersecurity incident initially detected on August 16, 2025. Immediately following detection, Bragg…

Ransomware attack cancels school for several days at Texas district 2025-09-14

Related actor: Qilin

Due to the threat, Uvalde CISD will be closed from Monday, September 15, to Thursday, September 18. The closure days will be swapped with previously scheduled non-working days wit…

Yurei & The Ghost of Open Source Ransomware 2025-09-12

Related actor: Yurei

Check Point Research discovered a new ransomware group on September 5. The group calls themselves Yurei (a sort of spirit in Japanese folklore), and initially listed one victim, a…

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass 2025-09-12

Related actor: HybridPetya

ESET Research has discovered HybridPetya, on the VirusTotal sample sharing platform. It is a copycat of the infamous Petya/NotPetya malware, adding the capability of compromising…

Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis - ASEC 2025-09-12

Related actor: BlackNevas

The BlackNevas ransomware group first appeared in November 2024 and has since been continuously attacking various businesses and critical infrastructure organizations in Asia, Nor…

Wyden calls on FTC to investigate Microsoft for ‘gross cybersecurity negligence’ in protecting critical infrastructure | CyberScoop 2025-09-11

Sen. Ron Wyden, D-Ore., on Wednesday called for the Federal Trade Commission to investigate Microsoft, saying the company’s default configurations are leaving customers vulnerable…

Akira Ransomware Group Utilizing SonicWall Devices for Initial Access 2025-09-11

Related actor: Akira

Last month, an Akira ransomware campaign kicked off targeting SonicWall devices. SonicWall followed up with a security advisory. Initially, this was believed to be a new emerging…

Blackpool Credit Union suffers cyber attack with customer information believed to be shared on dark web 2025-09-10

Blackpool Credit Union has been the victim of a recent cyber attack, with personal information of members believed to have been compromised and shared on the dark web. The cred…

New York Blood Center Enterprises discloses data breach | TechTarget 2025-09-10

New York Blood Center Enterprises, or NYBCe, notified an undisclosed number of impacted individuals of a data breach stemming from a January 2025 ransomware attack that disrupted…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.