Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-09-17 → 2025-09-23 UTC

Choose a report date

Observed events

126

Public claims in the selected week

Data leak indicators

108

85.7% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Qilin generated the highest visible claim volume this week, representing 22.2% of observed events.

•

85.7% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Real Estate was the most represented sector in this window with 12 observed events.

•

2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

12 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2025-09-23 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Qilin

28 events · 22 leak indicators

PLAY

15 events · 15 leak indicators

Akira

12 events · 12 leak indicators

Kill Security

11 events · 11 leak indicators

World Leaks

10 events · 10 leak indicators

INC Ransom

9 events · 8 leak indicators

SAFEPAY

8 events · 8 leak indicators

Sarcoma

5 events · 5 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Embargo 1 event
J Group 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States69

PLAY12 events · 12 leak indicators
Qilin11 events · 9 leak indicators
World Leaks10 events · 10 leak indicators
Akira9 events · 9 leak indicators
INC Ransom6 events · 5 leak indicators
SAFEPAY5 events · 5 leak indicators
Kill Security3 events · 3 leak indicators
Lynx2 events · 1 leak indicator

South Korea11

Qilin9 events · 9 leak indicators
INC Ransom1 event · 1 leak indicator
Kill Security1 event · 1 leak indicator

Germany9

Sarcoma4 events · 4 leak indicators
Qilin2 events · 1 leak indicator
Akira1 event · 1 leak indicator
Everest1 event · 0 leak indicators
J Group1 event · 0 leak indicators

Canada4

PLAY2 events · 2 leak indicators
Kill Security1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

United Kingdom4

SAFEPAY2 events · 2 leak indicators
INC Ransom1 event · 1 leak indicator
Kill Security1 event · 1 leak indicator

France3

Qilin2 events · 2 leak indicators
Kill Security1 event · 1 leak indicator

Australia2

Akira1 event · 1 leak indicator
Kairos1 event · 1 leak indicator

Mexico2

Gentlemen1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Real Estate12

Qilin5 events · 3 leak indicators
PLAY2 events · 2 leak indicators
Sarcoma2 events · 2 leak indicators
Kill Security1 event · 1 leak indicator
Space Bears1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Investment Management10

Qilin9 events · 9 leak indicators
SAFEPAY1 event · 1 leak indicator

Law Practice8

Akira4 events · 4 leak indicators
PEAR1 event · 0 leak indicators
SECUROTROP1 event · 1 leak indicator
Space Bears1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Construction6

PLAY3 events · 3 leak indicators
Anubis1 event · 0 leak indicators
SAFEPAY1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Software Development4

PLAY2 events · 2 leak indicators
Arcus Media1 event · 0 leak indicators
SAFEPAY1 event · 1 leak indicator

Wholesale4

Akira2 events · 2 leak indicators
Gentlemen1 event · 0 leak indicators
SAFEPAY1 event · 1 leak indicator

Business Consulting and Services3

Everest1 event · 0 leak indicators
Kill Security1 event · 1 leak indicator
Medusa1 event · 1 leak indicator

Financial Services3

Kill Security1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 34
11-50 employees 33
2-10 employees 19
201-500 employees 16
1,001-5,000 employees 7
501-1,000 employees 6

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Qilin	Furniture and Home Furnishings Manufacturing	United States	Data leak	2025-09-23
J Group	Airlines and Aviation	Germany	Claim only	2025-09-23
Qilin	Real Estate	France	Data leak	2025-09-23
Qilin	Financial Services	Germany	Claim only	2025-09-23
Kairos	Food and Beverage Manufacturing	Slovakia	Data leak	2025-09-23
World Leaks	Truck Transportation	United States	Data leak	2025-09-23
World Leaks	Motor Vehicle Manufacturing	United States	Data leak	2025-09-23
World Leaks	Hospitals and Health Care	United States	Data leak	2025-09-23
World Leaks	Real Estate	United States	Data leak	2025-09-23
World Leaks	Hospitality	United States	Data leak	2025-09-23
World Leaks	Primary and Secondary Education	United States	Data leak	2025-09-23
Lynx	Hospitality	United States	Data leak	2025-09-23

News and research context

Recent articles from the same time window.

Personal Information Protection Commission probes ransomware data breach at GJTech affecting Korean asset managers - CHOSUNBIZ 2025-09-23

Related actor: Qilin

The Personal Information Protection Commission (hereafter the Personal Information Protection Commission) said on the 23rd that it had recently received personal information leak…

Unmasking Akira: The ransomware tactics you can’t afford to ignore - Zensec 2025-09-22

Related actor: Akira

The ransomware group Akira has been ravaging UK businesses since at least 2023. This brief goes over what ZenSec (formerly Solace Cyber) have seen in the past two years. ZenSec ha…

Ransomware attack linked to gold heist at museum • The Register 2025-09-22

Last week the Museum discovered that thieves had broken into its minerals display section by using an angle grinder to cut through a door, before wielding a blowtorch to open a ca…

Cyberattack disrupts European airports including Heathrow, Brussels 2025-09-20

BRUSSELS/FRANKFURT/LONDON, Sept 20 (Reuters) - A cyberattack on a provider of check-in and boarding systems has disrupted operations at several major European airports including L…

One Arrested in Sophisticated Cyber Crime 2025-09-20

Between August 2023 and October 2023, multiple Las Vegas casino properties became the targets of sophisticated network intrusions which were attributed to an organized cyber threa…

‘I Was a Weird Kid’: Jailhouse Confessions of a Teen Hacker 2025-09-19

Noah Urban’s role in the notorious Scattered Spider gang was talking people into unwittingly giving criminals access to sensitive computer systems. At the time he was on the ru…

Communiqué : cyberattaque et vol de données 2025-09-19

La Fédération Française de Tennis de Table informe avoir été victime d’une cyberattaque et d’un vol de données : vigilance conseillée à tous nos licenciés. La FFTT a récemment…

SystemBC – Bringing the Noise | Lumen Blog 2025-09-18

Related actor: Morpheus

One primary user of the SystemBC botnet is an interesting proxy network known as “REM Proxy,” which offers roughly 80% of the SystemBC network to their users. REM Proxy is a sizea…

Two charged for TfL cyber attack - National Crime Agency 2025-09-18

Two men have been charged as part of the National Crime Agency investigation into a cyber attack on Transport for London (TfL). TfL was subject of a network intrusion on 31 Aug…

[단독] GJ텍, 랜섬웨어 감염···미래에셋-KB-한화운용 등은? : 네이트 뉴스 2025-09-18

Related actor: Qilin

한눈에 보는 오늘 : 경제 - 뉴스 : [데일리브리프 황재희 기자] 국내 자산운용사에 특화된 전산관리 서비스를 제공하는 '지제이(GJ)텍'의 서버가 랜섬웨어에 감염된 것으로 확인되면서 관련 업계에 비상이 걸렸다. 자칫 지제이텍에 전산관리를 맡긴 자산운용사에까지 불똥이 튈까 걱정하는 것이다.

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.