South Korea’s major mobile carrier, SK Telecom, told shareholders that recovery costs and other losses tied to a data breach earlier this year led to a 90 percent drop in operatin…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-10-29 → 2025-11-04 UTC
Choose a report date
Observed events
144
Public claims in the selected week
Data leak indicators
98
68.1% of observed events
Active actors
37
Distinct groups with observed activity
Torrent-linked events
21
Events intersecting with torrent intelligence
What changed this week?
•
Akira generated the highest visible claim volume this week, representing 20.1% of observed events.
•
68.1% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 14 observed events.
•
2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
21 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
Coverage snapshot
As of 2025-11-04 UTC.
Leak sites observed this week
37
Leak sites online near report date
0
Threat actor profiles updated this week
2
Countries represented this week
30
Sectors represented this week
63
Top active actors
By observed claim volumeAkira
29 events · 21 leak indicators
Qilin
28 events · 22 leak indicators
INC Ransom
9 events · 7 leak indicators
PLAY
8 events · 8 leak indicators
BlackShrantac
5 events · 0 leak indicators
MyData
4 events · 0 leak indicators
NightSpire
4 events · 4 leak indicators
Brain Cipher
3 events · 0 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Metaencryptor 1 event
- Nitrogen 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States80
- Akira27 events · 20 leak indicators
- Qilin15 events · 11 leak indicators
- PLAY8 events · 8 leak indicators
- INC Ransom5 events · 3 leak indicators
- BlackShrantac3 events · 0 leak indicators
- INTERLOCK3 events · 3 leak indicators
- Leaknet Blog3 events · 3 leak indicators
- Rhysida3 events · 3 leak indicators
Canada6
- Qilin3 events · 3 leak indicators
- Brain Cipher1 event · 0 leak indicators
- Coinbase Cartel1 event · 0 leak indicators
- Obscura1 event · 0 leak indicators
Spain6
- Qilin2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- BlackNevas1 event · 0 leak indicators
- Space Bears1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Japan4
- Qilin2 events · 2 leak indicators
- RansomHouse1 event · 0 leak indicators
- World Leaks1 event · 1 leak indicator
Malaysia4
- BlackShrantac1 event · 0 leak indicators
- Devman1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Obscura1 event · 1 leak indicator
Australia3
- CL0P1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- RansomHouse1 event · 1 leak indicator
France3
- Brain Cipher1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
- RALord1 event · 1 leak indicator
Germany3
- BlackField1 event · 0 leak indicators
- MyData1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction14
- Akira5 events · 4 leak indicators
- Qilin3 events · 2 leak indicators
- BlackShrantac1 event · 0 leak indicators
- Brain Cipher1 event · 0 leak indicators
- INTERLOCK1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Metaencryptor1 event · 1 leak indicator
- RADAR1 event · 1 leak indicator
Accounting8
- Akira4 events · 3 leak indicators
- Leaknet Blog2 events · 2 leak indicators
- BlackShrantac1 event · 0 leak indicators
- Space Bears1 event · 1 leak indicator
IT Services and IT Consulting8
- Akira1 event · 1 leak indicator
- BlackShrantac1 event · 0 leak indicators
- Devman1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- RADAR1 event · 0 leak indicators
- RansomHouse1 event · 0 leak indicators
- World Leaks1 event · 1 leak indicator
Law Practice6
- BlackShrantac2 events · 0 leak indicators
- INC Ransom2 events · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Manufacturing5
- Akira1 event · 1 leak indicator
- CL0P1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Dentists4
- MyData2 events · 0 leak indicators
- Qilin2 events · 2 leak indicators
Financial Services4
- Akira1 event · 1 leak indicator
- CL0P1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Food and Beverage Manufacturing4
- INC Ransom1 event · 1 leak indicator
- MyData1 event · 0 leak indicators
- NightSpire1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 38
- 11-50 employees 31
- 2-10 employees 17
- 201-500 employees 15
- 1,001-5,000 employees 13
- 501-1,000 employees 11
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| PLAY | Utilities | United States | Data leak | 2025-11-04 |
| PLAY | Paper and Forest Product Manufacturing | United States | Data leak | 2025-11-04 |
| PLAY | Events Services | United States | Data leak | 2025-11-04 |
| INC Ransom | Law Practice | United States | Claim only | 2025-11-04 |
| Coinbase Cartel | Software Development | United Arab Emirates | Data leak | 2025-11-04 |
| Qilin | Food Production | France | Claim only | 2025-11-04 |
| Qilin | Entertainment Providers | United States | Data leak | 2025-11-04 |
| Akira | Industrial Machinery Manufacturing | United States | Data leak | 2025-11-04 |
| Akira | Accounting | United States | Claim only | 2025-11-04 |
| Rhysida | Transportation, Logistics, Supply Chain and Storage | United States | Data leak | 2025-11-04 |
| Akira | Accounting | United States | Data leak | 2025-11-04 |
| Akira | Construction | United States | Data leak | 2025-11-04 |
News and research context
Recent articles from the same time window.
A hacker has taken responsibility for last week's University of Pennsylvania "We got hacked" email incident, saying it was a far more extensive breach that exposed data on 1.2 mil…
Rogue employees of a Chicago company that specializes in negotiating ransoms to mitigate cyber attacks were carrying out their own piracy in a plot to extort millions of dollars f…
Related actor: Conti
Following his extradition from Ireland, a Ukrainian man had his initial appearance today in the Middle District of Tennessee on a 2023 indictment charging him with conspiracy to d…
What happened?
We detected unusual activity on servers in Merkle’s network. We immediately implemented our incident response protocols, took steps to contain the activity, and l…
Response to cyber incident - ReadyTech
2025-10-29
17 October 2025 – ReadyTech Holdings Limited (ASX:RDY) (ReadyTech or Company), has become
aware of a cyber incident involving its hosted student management system, VETtrak (Plat…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.