Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-10-13 → 2025-10-19 UTC

Choose a report date

Observed events

209

Public claims in the selected week

Data leak indicators

109

52.2% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Qilin generated the highest visible claim volume this week, representing 50.2% of observed events.

•

52.2% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 15 observed events.

•

4 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

6 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-10-19 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Qilin

105 events · 42 leak indicators

Coinbase Cartel

17 events · 6 leak indicators

Akira

10 events · 6 leak indicators

PLAY

8 events · 6 leak indicators

DragonForce

7 events · 7 leak indicators

RADAR

6 events · 0 leak indicators

Sinobi

6 events · 6 leak indicators

RALord

5 events · 5 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Coinbase Cartel 17 events
Dire Wolf 2 events
Kraken 1 event
Kyber 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States110

Qilin58 events · 30 leak indicators
Akira10 events · 6 leak indicators
PLAY8 events · 6 leak indicators
Coinbase Cartel6 events · 2 leak indicators
Sinobi5 events · 5 leak indicators
CL0P3 events · 3 leak indicators
INC Ransom3 events · 2 leak indicators
DragonForce2 events · 2 leak indicators

France15

Qilin12 events · 1 leak indicator
Coinbase Cartel1 event · 0 leak indicators
Devman1 event · 1 leak indicator
Medusa1 event · 1 leak indicator

Canada10

Qilin8 events · 5 leak indicators
Coinbase Cartel2 events · 2 leak indicators

Germany6

Coinbase Cartel2 events · 1 leak indicator
Qilin1 event · 0 leak indicators
RansomHouse1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator
Sinobi1 event · 1 leak indicator

Spain6

Qilin5 events · 2 leak indicators
BlackNevas1 event · 0 leak indicators

Australia5

RADAR3 events · 0 leak indicators
Anubis1 event · 0 leak indicators
Lynx1 event · 1 leak indicator

United Kingdom4

DragonForce1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
Radiant1 event · 0 leak indicators
Rhysida1 event · 1 leak indicator

Argentina3

DragonForce2 events · 2 leak indicators
Qilin1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction15

Qilin10 events · 0 leak indicators
Akira1 event · 0 leak indicators
DragonForce1 event · 1 leak indicator
PLAY1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator
Sinobi1 event · 1 leak indicator

Government Administration10

Qilin7 events · 3 leak indicators
Devman1 event · 1 leak indicator
Obscura1 event · 1 leak indicator
Sarcoma1 event · 1 leak indicator

Law Practice10

Qilin4 events · 1 leak indicator
Akira1 event · 0 leak indicators
Coinbase Cartel1 event · 0 leak indicators
DragonForce1 event · 1 leak indicator
INC Ransom1 event · 0 leak indicators
Kraken1 event · 1 leak indicator
PEAR1 event · 1 leak indicator

Real Estate10

Qilin4 events · 2 leak indicators
RADAR4 events · 0 leak indicators
DragonForce1 event · 1 leak indicator
RALord1 event · 1 leak indicator

Hospitals and Health Care8

Qilin3 events · 1 leak indicator
Devman1 event · 1 leak indicator
RADAR1 event · 0 leak indicators
RALord1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator
Sinobi1 event · 1 leak indicator

Transportation, Logistics, Supply Chain and Storage7

Coinbase Cartel3 events · 0 leak indicators
Qilin3 events · 1 leak indicator
Dire Wolf1 event · 1 leak indicator

Medical Practice6

Qilin4 events · 0 leak indicators
Devman1 event · 0 leak indicators
Rhysida1 event · 1 leak indicator

Software Development6

Qilin3 events · 2 leak indicators
PEAR1 event · 1 leak indicator
PLAY1 event · 0 leak indicators
Radiant1 event · 0 leak indicators

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 58
11-50 employees 48
2-10 employees 22
201-500 employees 21
501-1,000 employees 17
1,001-5,000 employees 13

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
PLAY	Packaging and Containers Manufacturing	United States	Claim only	2025-10-19
Qilin	Government Administration	Spain	Data leak	2025-10-19
Everest	Aviation and Aerospace Component Manufacturing	United States	Claim only	2025-10-19
SAFEPAY	Hospitals and Health Care	United States	Data leak	2025-10-19
RADAR	Hospitals and Health Care	United States	Claim only	2025-10-19
Qilin	Construction	Poland	Claim only	2025-10-19
Qilin	Food and Beverages	Spain	Claim only	2025-10-19
Qilin	Architecture and Planning	United States	Data leak	2025-10-19
Qilin	Food Production	Gabon	Claim only	2025-10-19
Qilin	Law Practice	United States	Claim only	2025-10-19
Qilin	Machinery Manufacturing	United States	Claim only	2025-10-19
Qilin	Medical Practice	United Kingdom	Claim only	2025-10-19

News and research context

Recent articles from the same time window.

PF deflagra a Operação Decrypt contra organização criminosa especializada em ataques cibernéticos - Polícia Federal 2025-10-17

Brasília/DF. A Polícia Federal deflagrou, nesta sexta-feira (17/10), a Operação Decrypt, com o cumprimento de dois mandados de busca e apreensão em Minas Gerais e de um mandado de…

IT-ISAC: Quarterly IT Sector Ransomware Analysis 2025-10-17

In Q3 2025, the Information Technology - Information Sharing and Analysis Center (IT-ISAC) recorded a total of 1,417 ransomware attacks, with the Critical Manufacturing, Commercia…

Extortion and ransomware drive over half of cyberattacks 2025-10-17

In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering.…

Hackergruppe Akira attackiert rund 200 Unternehmen in der Schweiz - computerworld.ch 2025-10-17

Related actor: Akira

Seit April vergangenen Jahres führt die Bundesanwaltschaft (BA) ein Strafverfahren, wie der Bund am Donnerstag mitteilte. Die Ermittlungen werden unter Koordination des Bundesamte…

Devman’s RaaS Launch: The Affiliate Who Aims to Become the Boss 2025-10-16

Related actor: Devman

In late September 2025, a ransomware operator known as Devman sent me a link to a new Ransomware-as-a-Service platform days before its public launch. For months, the man behind th…

Canadian Tire says passwords, credit card info impacted in recent data breach 2025-10-16

Canadian Tire Corporation (CTC), the parent company of the stores listed above, notified customers on Tuesday that it had identified a data breach involving customer information i…

Microsoft Disrupted Vanilla Tempest Attack by Revoking Certificates Used to Sign Fake Teams File 2025-10-16

Related actor: Rhysida

Microsoft announced that it had revoked more than 200 digital certificates exploited by the notorious Vanilla Tempest hacking group. This action effectively disrupted an ongoin…

Vegetable Marketing Organisation faces ransomware attack, data of 7,000 users potentially compromised 2025-10-15

15th October 2025 – (Hong Kong) The Vegetable Marketing Organisation (VMO) has revealed that a ransomware attack was detected on a segment of its computer systems on 13th October.…

Cyber Incident Response | Sugar Land, TX - Official Website 2025-10-15

Related actor: Qilin

The City of Sugar Land experienced a cyber incident on Thursday, October 9. The Sugar Land Police Department is working closely with local, state and federal law enforcement offic…

Capita fined £14m for data breach affecting over 6m people | ICO 2025-10-15

Related actor: BlackBasta

We have issued a fine of £14m to Capita for failing to ensure the security of personal data related to a breach in 2023 that saw hackers steal millions of people’s information.…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.