Prosecutors are seeking a seven-year prison sentence for the 19-year-old Massachusetts man who pleaded guilty to hacking into an education technology company’s databases and steal…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-10-06 → 2025-10-12 UTC
Choose a report date
Observed events
171
Public claims in the selected week
Data leak indicators
141
82.5% of observed events
Active actors
35
Distinct groups with observed activity
Torrent-linked events
15
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 21.6% of observed events.
•
82.5% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 12 observed events.
•
6 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
15 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-10-12 UTC.
Leak sites observed this week
35
Leak sites online near report date
1
Threat actor profiles updated this week
2
Countries represented this week
34
Sectors represented this week
72
Top active actors
By observed claim volumeQilin
37 events · 32 leak indicators
Sinobi
28 events · 27 leak indicators
Akira
20 events · 15 leak indicators
BrotherHood
10 events · 6 leak indicators
SAFEPAY
8 events · 8 leak indicators
INC Ransom
7 events · 7 leak indicators
DragonForce
6 events · 6 leak indicators
Chaos
5 events · 5 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- BrotherHood 10 events
- Kryptos 3 events
- BQTlock 2 events
- CL0P 1 event
- INTERLOCK 1 event
- Payouts King 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States98
- Qilin22 events · 20 leak indicators
- Sinobi22 events · 21 leak indicators
- Akira16 events · 12 leak indicators
- Chaos5 events · 5 leak indicators
- BrotherHood4 events · 3 leak indicators
- INC Ransom4 events · 4 leak indicators
- PLAY4 events · 4 leak indicators
- SAFEPAY3 events · 3 leak indicators
Canada9
- Akira2 events · 2 leak indicators
- BrotherHood2 events · 1 leak indicator
- SAFEPAY2 events · 2 leak indicators
- INC Ransom1 event · 1 leak indicator
- Kryptos1 event · 0 leak indicators
- Rhysida1 event · 1 leak indicator
Australia6
- BrotherHood1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Kryptos1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
- Scattered LAPSUS$ Hunters1 event · 0 leak indicators
Spain5
- Qilin2 events · 1 leak indicator
- Space Bears2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
France4
- Qilin3 events · 3 leak indicators
- Sinobi1 event · 1 leak indicator
Germany4
- DragonForce1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
United Arab Emirates4
- BQTlock2 events · 2 leak indicators
- BlackNevas1 event · 0 leak indicators
- Medusa1 event · 1 leak indicator
United Kingdom3
- Akira1 event · 1 leak indicator
- BrotherHood1 event · 0 leak indicators
- Radiant1 event · 0 leak indicators
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction12
- Akira4 events · 3 leak indicators
- Sinobi3 events · 3 leak indicators
- INC Ransom2 events · 2 leak indicators
- PLAY2 events · 2 leak indicators
- Chaos1 event · 1 leak indicator
Law Practice7
- Akira3 events · 3 leak indicators
- Qilin2 events · 2 leak indicators
- SAFEPAY1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Wholesale7
- Qilin2 events · 1 leak indicator
- Sinobi2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- BrotherHood1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Software Development6
- BrotherHood3 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- Everest1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Transportation, Logistics, Supply Chain and Storage6
- Anubis1 event · 0 leak indicators
- BrotherHood1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
Hospitals and Health Care5
- Sinobi3 events · 3 leak indicators
- World Leaks2 events · 2 leak indicators
Retail5
- BlackNevas1 event · 0 leak indicators
- Chaos1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Accounting4
- BrotherHood1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- RADAR1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 45
- 11-50 employees 39
- 201-500 employees 21
- 501-1,000 employees 17
- 1,001-5,000 employees 15
- 2-10 employees 13
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Qilin | Machinery Manufacturing | France | Data leak | 2025-10-12 |
| Qilin | Appliances, Electrical, and Electronics Manufacturing | Norway | Data leak | 2025-10-12 |
| Sinobi | Defense and Space Manufacturing | United States | Data leak | 2025-10-12 |
| Sinobi | Construction | United States | Data leak | 2025-10-12 |
| Sinobi | Hospitals and Health Care | Venezuela | Data leak | 2025-10-12 |
| Qilin | Real Estate | United States | Data leak | 2025-10-12 |
| Qilin | Machinery Manufacturing | Italy | Data leak | 2025-10-12 |
| Medusa | Oil and Gas | Dominican Republic | Data leak | 2025-10-12 |
| Medusa | Printing Services | United States | Data leak | 2025-10-12 |
| Medusa | Transportation, Logistics, Supply Chain and Storage | Morocco | Data leak | 2025-10-12 |
| Qilin | Mining | Australia | Claim only | 2025-10-12 |
| RALord | Government Administration | Argentina | Data leak | 2025-10-12 |
News and research context
Recent articles from the same time window.
Related actor: Obscura
The City of Michigan City has confirmed that the network disruption it experienced on Sept. 23 was a ransomware incident that affected a portion of the City’s data and impacted mu…
Paying off cyber criminals no guarantee stolen data won't be published - study - TechCentral.ie
2025-10-10
Almost three-quarters (70%) of Irish business who have experienced a ransomware attack paid a ransom in the past 12 months to prevent sensitive data being published, however, near…
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign | Google Cloud Blog
2025-10-09
Related actor: CL0P
Beginning Sept. 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the…
Velociraptor leveraged in ransomware attacks
2025-10-09
Related actor: Warlock
In August 2025, Talos responded to a ransomware attack by actors who appeared to be affiliated with Warlock ransomware, based on their ransom note and use of Warlock’s data leak s…
Landmark $5.8m penalty over health data cyber attack | The Canberra Times | Canberra, ACT
2025-10-09
Related actor: Quantum
Medlab Pathology was hit with a cyber attack and ransomware demand by a malicious actor known as the Quantum Group in February 2022.
About 86 gigabytes of data was taken and publ…
Related actor: Chaos
In 2025, Chaos ransomware resurfaced with a C++ variant. We believe this marks the first time it was not written in .NET. Beyond encryption and ransom demands, it adds destructive…
Wichtige Information - SAACKE Group
2025-10-08
Related actor: Lynx
Am 30.09.2025 wurde unsere IT-Infrastruktur Ziel eines Hackerangriffs. Wir haben sofort reagiert, betroffene Systeme isoliert und zusätzliche Sicherheitsmaßnahmen eingeleitet. Gem…
Related actor: Crimson Collective
Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments, Crimson Collective, who recently claimed to have stolen private repositories from Re…
Two arrested over nursery cyber-attack
2025-10-07
Related actor: Radiant
Two men have been arrested by police investigating reports of a cyber-attack on a chain of London-based nurseries.
The Met Police say the pair, aged 17 and 22, were arrested in…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.