Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-09-15 → 2025-09-21 UTC
Choose a report date
Previous week Next week
Observed events
130
Public claims in the selected week
Data leak indicators
107
82.3% of observed events
Active actors
35
Distinct groups with observed activity
Torrent-linked events
11
Events intersecting with torrent intelligence

What changed this week?

Qilin generated the highest visible claim volume this week, representing 19.2% of observed events.
82.3% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
Investment Management was the most represented sector in this window with 13 observed events.
7 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
11 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-09-21 UTC.
Leak sites observed this week
35
Leak sites online near report date
1
Threat actor profiles updated this week
3
Countries represented this week
29
Sectors represented this week
64

Top active actors

By observed claim volume
Qilin
25 events · 22 leak indicators
PLAY
14 events · 14 leak indicators
INC Ransom
13 events · 13 leak indicators
Akira
11 events · 11 leak indicators
SAFEPAY
8 events · 8 leak indicators
Warlock
7 events · 4 leak indicators
BlackShrantac
4 events · 4 leak indicators
Sarcoma
4 events · 4 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days
  • BlackShrantac 4 events
  • Arcus Media 3 events
  • LunaLock 2 events
  • Brain Cipher 1 event
  • Embargo 1 event
  • IMN Crew 1 event
  • Termite 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States62
  • PLAY13 events · 13 leak indicators
  • Akira9 events · 9 leak indicators
  • Qilin9 events · 8 leak indicators
  • INC Ransom8 events · 8 leak indicators
  • SAFEPAY5 events · 5 leak indicators
  • PEAR3 events · 2 leak indicators
  • World Leaks3 events · 3 leak indicators
  • Warlock2 events · 1 leak indicator
South Korea13
  • Qilin12 events · 12 leak indicators
  • INC Ransom1 event · 1 leak indicator
Germany7
  • Sarcoma4 events · 4 leak indicators
  • Everest1 event · 0 leak indicators
  • INC Ransom1 event · 1 leak indicator
  • Qilin1 event · 1 leak indicator
Netherlands4
  • IMN Crew1 event · 1 leak indicator
  • INC Ransom1 event · 1 leak indicator
  • Lynx1 event · 1 leak indicator
  • Warlock1 event · 1 leak indicator
Australia3
  • Kairos2 events · 2 leak indicators
  • Akira1 event · 1 leak indicator
Hong Kong3
  • Devman1 event · 1 leak indicator
  • DragonForce1 event · 1 leak indicator
  • LunaLock1 event · 1 leak indicator
Mexico3
  • INC Ransom1 event · 1 leak indicator
  • LunaLock1 event · 0 leak indicators
  • MyData1 event · 0 leak indicators
United Kingdom3
  • SAFEPAY2 events · 2 leak indicators
  • INC Ransom1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Investment Management13
  • Qilin12 events · 12 leak indicators
  • SAFEPAY1 event · 1 leak indicator
Real Estate7
  • Qilin3 events · 1 leak indicator
  • Devman1 event · 1 leak indicator
  • Kairos1 event · 1 leak indicator
  • PLAY1 event · 1 leak indicator
  • Sarcoma1 event · 1 leak indicator
Law Practice5
  • Akira3 events · 3 leak indicators
  • PEAR1 event · 0 leak indicators
  • SECUROTROP1 event · 1 leak indicator
Business Consulting and Services4
  • INC Ransom2 events · 2 leak indicators
  • Arcus Media1 event · 0 leak indicators
  • Everest1 event · 0 leak indicators
Medical Practice4
  • Beast1 event · 0 leak indicators
  • Gentlemen1 event · 0 leak indicators
  • Kill Security1 event · 1 leak indicator
  • PEAR1 event · 1 leak indicator
Telecommunications4
  • Akira2 events · 2 leak indicators
  • LunaLock1 event · 0 leak indicators
  • Obscura1 event · 1 leak indicator
Architecture and Planning3
  • Obscura1 event · 1 leak indicator
  • PLAY1 event · 1 leak indicator
  • Qilin1 event · 1 leak indicator
Construction3
  • Anubis1 event · 0 leak indicators
  • SAFEPAY1 event · 1 leak indicator
  • Sarcoma1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.
  • 51-200 employees 38
  • 11-50 employees 31
  • 2-10 employees 18
  • 201-500 employees 12
  • 501-1,000 employees 7
  • 1,001-5,000 employees 6

Notable actor profile updates

Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.
Actor Sector Country Leak proof Seen
Obscura Telecommunications Portugal Data leak 2025-09-21
Obscura Architecture and Planning Malaysia Data leak 2025-09-21
Qilin Research Services Germany Data leak 2025-09-21
INC Ransom Law Enforcement United States Data leak 2025-09-21
Qilin Restaurants United States Data leak 2025-09-20
Qilin Utilities Aruba Data leak 2025-09-20
Qilin Architecture and Planning United States Data leak 2025-09-20
Leaknet Blog Engineering Services Pakistan Data leak 2025-09-20
Embargo Oil and Gas United States Data leak 2025-09-20
Qilin Real Estate Spain Claim only 2025-09-20
PLAY Industrial Machinery Manufacturing United States Data leak 2025-09-19
Anubis Construction United States Claim only 2025-09-19

News and research context

Recent articles from the same time window.
One Arrested in Sophisticated Cyber Crime 2025-09-20
Between August 2023 and October 2023, multiple Las Vegas casino properties became the targets of sophisticated network intrusions which were attributed to an organized cyber threa…
Communiqué : cyberattaque et vol de données 2025-09-19
La Fédération Française de Tennis de Table informe avoir été victime d’une cyberattaque et d’un vol de données : vigilance conseillée à tous nos licenciés. La FFTT a récemment…
SystemBC – Bringing the Noise | Lumen Blog 2025-09-18
Related actor: Morpheus
One primary user of the SystemBC botnet is an interesting proxy network known as “REM Proxy,” which offers roughly 80% of the SystemBC network to their users. REM Proxy is a sizea…
[단독] GJ텍, 랜섬웨어 감염···미래에셋-KB-한화운용 등은? : 네이트 뉴스 2025-09-18
Related actor: Qilin
한눈에 보는 오늘 : 경제 - 뉴스 : [데일리브리프 황재희 기자] 국내 자산운용사에 특화된 전산관리 서비스를 제공하는 '지제이(GJ)텍'의 서버가 랜섬웨어에 감염된 것으로 확인되면서 관련 업계에 비상이 걸렸다. 자칫 지제이텍에 전산관리를 맡긴 자산운용사에까지 불똥이 튈까 걱정하는 것이다.

Notes

  • Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
  • Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
  • Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
  • The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

  • The page uses a fixed seven-day window based on the selected date.
  • Only public-facing actor and event records are included.
  • Counts and breakdowns are designed for trend review, not incident confirmation.