Verisure, den ledande leverantören av professionellt övervakade säkerhetstjänster med dygnet runt-beredskap i Europa och Sydamerika, upptäckte nyligen obehörig åtkomst av en tredj…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-10-15 → 2025-10-21 UTC
Choose a report date
Observed events
200
Public claims in the selected week
Data leak indicators
129
64.5% of observed events
Active actors
36
Distinct groups with observed activity
Torrent-linked events
6
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 31.0% of observed events.
•
64.5% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 13 observed events.
•
6 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
6 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-10-21 UTC.
Leak sites observed this week
36
Leak sites online near report date
1
Threat actor profiles updated this week
1
Countries represented this week
37
Sectors represented this week
83
Top active actors
By observed claim volumeQilin
62 events · 31 leak indicators
Coinbase Cartel
17 events · 6 leak indicators
Sinobi
17 events · 17 leak indicators
Akira
10 events · 7 leak indicators
PLAY
10 events · 8 leak indicators
Genesis
9 events · 9 leak indicators
CL0P
7 events · 6 leak indicators
DragonForce
7 events · 7 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Coinbase Cartel 17 events
- Genesis 9 events
- BlackField 1 event
- FulcrumSec 1 event
- Kraken 1 event
- Kyber 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States119
- Qilin39 events · 22 leak indicators
- Sinobi15 events · 15 leak indicators
- PLAY10 events · 8 leak indicators
- Akira9 events · 6 leak indicators
- Genesis9 events · 9 leak indicators
- CL0P6 events · 5 leak indicators
- Coinbase Cartel6 events · 2 leak indicators
- Lynx4 events · 4 leak indicators
Canada10
- Qilin6 events · 4 leak indicators
- Coinbase Cartel2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- Brain Cipher1 event · 0 leak indicators
Germany8
- Coinbase Cartel2 events · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- RALord1 event · 1 leak indicator
- RansomHouse1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Australia5
- RADAR3 events · 0 leak indicators
- Anubis1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
France4
- Coinbase Cartel1 event · 0 leak indicators
- Devman1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Spain4
- Qilin3 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
Switzerland4
- Coinbase Cartel1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- PEAR1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
United Kingdom4
- DragonForce1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- Radiant1 event · 0 leak indicators
- Rhysida1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction13
- Qilin5 events · 0 leak indicators
- PLAY2 events · 2 leak indicators
- Sinobi2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
Hospitals and Health Care9
- Qilin2 events · 1 leak indicator
- BlackField1 event · 0 leak indicators
- Devman1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- RADAR1 event · 0 leak indicators
- RALord1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Government Administration8
- Qilin3 events · 2 leak indicators
- Lynx2 events · 2 leak indicators
- Brain Cipher1 event · 0 leak indicators
- Devman1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Real Estate8
- RADAR4 events · 0 leak indicators
- Akira1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Software Development8
- Qilin4 events · 3 leak indicators
- DragonForce1 event · 1 leak indicator
- PEAR1 event · 1 leak indicator
- PLAY1 event · 0 leak indicators
- Radiant1 event · 0 leak indicators
Law Practice7
- Qilin2 events · 1 leak indicator
- Coinbase Cartel1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 0 leak indicators
- Kraken1 event · 1 leak indicator
- PEAR1 event · 1 leak indicator
Medical Practice7
- Qilin3 events · 0 leak indicators
- Devman1 event · 0 leak indicators
- Genesis1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Financial Services6
- Coinbase Cartel2 events · 1 leak indicator
- Qilin2 events · 2 leak indicators
- BlackShrantac1 event · 0 leak indicators
- Genesis1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 52
- 11-50 employees 44
- 2-10 employees 25
- 201-500 employees 25
- 501-1,000 employees 17
- 10,001+ employees 12
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Qilin | Restaurants | United States | Claim only | 2025-10-21 |
| Sinobi | Appliances, Electrical, and Electronics Manufacturing | United States | Data leak | 2025-10-21 |
| Qilin | Investment Management | United States | Data leak | 2025-10-21 |
| PLAY | Construction | United States | Data leak | 2025-10-21 |
| PLAY | Architecture and Planning | United States | Data leak | 2025-10-21 |
| Sinobi | Food and Beverage Services | United States | Data leak | 2025-10-21 |
| Sinobi | Dentists | United States | Data leak | 2025-10-21 |
| Qilin | Automotive | Netherlands | Data leak | 2025-10-21 |
| Genesis | Medical Equipment Manufacturing | United States | Data leak | 2025-10-21 |
| Genesis | Retail | United States | Data leak | 2025-10-21 |
| Genesis | Legal Services | United States | Data leak | 2025-10-21 |
| Genesis | Insurance | United States | Data leak | 2025-10-21 |
News and research context
Recent articles from the same time window.
【重要】ランサムウェア感染によるシステム障害発生によるご注文受付停止のお知らせとお詫び
2025-10-20
Related actor: RansomHouse
現在、アスクルWebサイトにてランサムウェア感染によるシステム障害が発生しており、受注、出荷業務を停止しております。
個人情報や顧客データなどの外部への流出を含めた影響範囲については現在調査を進めており、わかり次第お知らせいたします。
Brasília/DF. A Polícia Federal deflagrou, nesta sexta-feira (17/10), a Operação Decrypt, com o cumprimento de dois mandados de busca e apreensão em Minas Gerais e de um mandado de…
In Q3 2025, the Information Technology - Information Sharing and Analysis Center (IT-ISAC) recorded a total of 1,417 ransomware attacks, with the Critical Manufacturing, Commercia…
In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering.…
Related actor: Akira
Seit April vergangenen Jahres führt die Bundesanwaltschaft (BA) ein Strafverfahren, wie der Bund am Donnerstag mitteilte. Die Ermittlungen werden unter Koordination des Bundesamte…
Related actor: Devman
In late September 2025, a ransomware operator known as Devman sent me a link to a new Ransomware-as-a-Service platform days before its public launch. For months, the man behind th…
Canadian Tire Corporation (CTC), the parent company of the stores listed above, notified customers on Tuesday that it had identified a data breach involving customer information i…
Microsoft Disrupted Vanilla Tempest Attack by Revoking Certificates Used to Sign Fake Teams File
2025-10-16
Related actor: Rhysida
Microsoft announced that it had revoked more than 200 digital certificates exploited by the notorious Vanilla Tempest hacking group.
This action effectively disrupted an ongoin…
15th October 2025 – (Hong Kong) The Vegetable Marketing Organisation (VMO) has revealed that a ransomware attack was detected on a segment of its computer systems on 13th October.…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.