The government will underwrite a £1.5bn loan guarantee to Jaguar Land Rover (JLR) in a bid to support its suppliers as a cyber-attack continues to halt production at the car maker…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-09-22 → 2025-09-28 UTC
Choose a report date
Observed events
125
Public claims in the selected week
Data leak indicators
110
88.0% of observed events
Active actors
26
Distinct groups with observed activity
Torrent-linked events
2
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 25.6% of observed events.
•
88.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 10 observed events.
•
3 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
2 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-09-28 UTC.
Leak sites observed this week
26
Leak sites online near report date
1
Threat actor profiles updated this week
4
Countries represented this week
25
Sectors represented this week
59
Top active actors
By observed claim volumeQilin
32 events · 28 leak indicators
PLAY
19 events · 19 leak indicators
Kill Security
14 events · 14 leak indicators
World Leaks
7 events · 7 leak indicators
Devman
6 events · 6 leak indicators
Medusa
6 events · 5 leak indicators
DragonForce
5 events · 5 leak indicators
INC Ransom
4 events · 2 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Arachna 2 events
- J Group 1 event
- Radiant 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States72
- PLAY16 events · 16 leak indicators
- Qilin16 events · 14 leak indicators
- World Leaks7 events · 7 leak indicators
- Devman5 events · 5 leak indicators
- Kill Security4 events · 4 leak indicators
- Lynx4 events · 4 leak indicators
- Medusa4 events · 3 leak indicators
- INC Ransom3 events · 1 leak indicator
Germany7
- Sarcoma2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- J Group1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
South Korea7
- Qilin6 events · 6 leak indicators
- Kill Security1 event · 1 leak indicator
United Kingdom5
- Devman1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- Radiant1 event · 0 leak indicators
Canada4
- PLAY2 events · 2 leak indicators
- Kill Security1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
France4
- Qilin2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
India2
- Arachna1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
Spain2
- Arachna1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction10
- PLAY5 events · 5 leak indicators
- DragonForce2 events · 2 leak indicators
- Devman1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
Real Estate9
- Qilin3 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Manufacturing6
- Qilin3 events · 2 leak indicators
- PLAY2 events · 2 leak indicators
- Gentlemen1 event · 0 leak indicators
Financial Services5
- Kill Security2 events · 2 leak indicators
- Anubis1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Investment Management5
- Qilin5 events · 5 leak indicators
Hospitals and Health Care4
- Qilin3 events · 3 leak indicators
- World Leaks1 event · 1 leak indicator
Law Practice4
- Akira1 event · 1 leak indicator
- INC Ransom1 event · 0 leak indicators
- Space Bears1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Legal Services4
- DragonForce1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 35
- 51-200 employees 27
- 201-500 employees 21
- 2-10 employees 11
- 1,001-5,000 employees 8
- 501-1,000 employees 8
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Kill Security | Telecommunications | Indonesia | Data leak | 2025-09-28 |
| Kill Security | Financial Services | United Arab Emirates | Data leak | 2025-09-28 |
| Qilin | Chemical Manufacturing | United States | Data leak | 2025-09-28 |
| Devman | Non-profit Organizations | United States | Data leak | 2025-09-28 |
| RALord | IT Services and IT Consulting | Netherlands | Data leak | 2025-09-28 |
| PLAY | Construction | United States | Data leak | 2025-09-27 |
| PLAY | Consumer Services | United States | Data leak | 2025-09-27 |
| PLAY | Telecommunications | United States | Data leak | 2025-09-27 |
| PLAY | Mechanical Or Industrial Engineering | United States | Data leak | 2025-09-27 |
| PLAY | Construction | United States | Data leak | 2025-09-27 |
| PLAY | Manufacturing | United States | Data leak | 2025-09-27 |
| Medusa | Insurance | India | Data leak | 2025-09-27 |
News and research context
Recent articles from the same time window.
Related actor: LockBit 5.0
The LockBit 5.0 Windows variant uses heavy obfuscation and packing by loading its payload through DLL reflection while implementing anti-analysis technique. The Linux variant has…
We found that the server of a consolidated subsidiary in Germany, Okuma Europe GmbH (“OEG”) was accessed by an unauthorized third party, which resulted in infection of the server…
Boyd Gaming Corporation (the “Company”) recently experienced a cybersecurity incident in which an unauthorized third party accessed our internal IT system. The cybersecurity incid…
Man arrested over cyber attack that caused Heathrow airport flight chaos | The Independent
2025-09-24
A man in his 40s has been arrested over an alleged cyber attack which caused disruption at Heathrow and other major airports at the weekend.
The UK National Crime Agency (NCA)…
Related actor: Gunra
Gunra Ransomware is a Double Extortion Ransomware group that primarily targets global victims, excluding the US, unlike other Ransomware Groups. The group had targeted only a sing…
Phishing is the Leading Cause of Ransomware Attacks in 2025, SpyCloud Identity Threat Report Finds
2025-09-24
SpyCloud’s latest research reveals a 10-point rise year-over-year in phishing-driven ransomware attacks, amid growing AI-powered cybercrime and widespread infostealer infections.…
Related actor: Qilin
The Personal Information Protection Commission (hereafter the Personal Information Protection Commission) said on the 23rd that it had recently received personal information leak…
Related actor: Akira
The ransomware group Akira has been ravaging UK businesses since at least 2023. This brief goes over what ZenSec (formerly Solace Cyber) have seen in the past two years. ZenSec ha…
Last week the Museum discovered that thieves had broken into its minerals display section by using an angle grinder to cut through a door, before wielding a blowtorch to open a ca…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.