Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-11-03 → 2025-11-09 UTC

Choose a report date

Observed events

161

Public claims in the selected week

Data leak indicators

111

68.9% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Qilin generated the highest visible claim volume this week, representing 21.1% of observed events.

•

68.9% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 7 observed events.

•

2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

18 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-11-09 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Qilin

34 events · 20 leak indicators

Akira

22 events · 18 leak indicators

Warlock

17 events · 9 leak indicators

CL0P

13 events · 11 leak indicators

INC Ransom

12 events · 4 leak indicators

NightSpire

10 events · 10 leak indicators

DragonForce

5 events · 5 leak indicators

INTERLOCK

4 events · 4 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Warlock 17 events
WikiLeaksV2 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States74

Akira21 events · 17 leak indicators
Qilin18 events · 11 leak indicators
CL0P6 events · 5 leak indicators
INC Ransom5 events · 3 leak indicators
INTERLOCK4 events · 4 leak indicators
PLAY4 events · 4 leak indicators
Medusa2 events · 2 leak indicators
Rhysida2 events · 2 leak indicators

United Kingdom8

CL0P4 events · 3 leak indicators
Warlock2 events · 1 leak indicator
DragonForce1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Austria7

INC Ransom5 events · 0 leak indicators
Qilin2 events · 0 leak indicators

Canada5

Qilin3 events · 2 leak indicators
Akira1 event · 1 leak indicator
DragonForce1 event · 1 leak indicator

India4

NightSpire2 events · 2 leak indicators
Gentlemen1 event · 0 leak indicators
MyData1 event · 0 leak indicators

Italy4

Qilin2 events · 2 leak indicators
DragonForce1 event · 1 leak indicator
Warlock1 event · 0 leak indicators

Spain4

Qilin2 events · 2 leak indicators
Rhysida1 event · 1 leak indicator
Space Bears1 event · 1 leak indicator

Australia3

J Group1 event · 0 leak indicators
Medusa1 event · 1 leak indicator
RansomHouse1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction7

Akira3 events · 3 leak indicators
Qilin2 events · 2 leak indicators
CL0P1 event · 1 leak indicator
INTERLOCK1 event · 1 leak indicator

Government Administration7

Qilin2 events · 1 leak indicator
Beast1 event · 0 leak indicators
INTERLOCK1 event · 1 leak indicator
Kryptos1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator
RALord1 event · 1 leak indicator

Law Practice6

INC Ransom3 events · 0 leak indicators
Qilin2 events · 1 leak indicator
INTERLOCK1 event · 1 leak indicator

Financial Services5

Akira1 event · 1 leak indicator
CL0P1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
Warlock1 event · 0 leak indicators

Hospitality5

Qilin2 events · 2 leak indicators
Akira1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
Medusa1 event · 1 leak indicator

IT Services and IT Consulting5

NightSpire2 events · 2 leak indicators
Devman1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
RansomHouse1 event · 0 leak indicators

Legal Services5

Qilin3 events · 1 leak indicator
Akira1 event · 1 leak indicator
PEAR1 event · 1 leak indicator

Mining5

Akira1 event · 1 leak indicator
Beast1 event · 0 leak indicators
Medusa1 event · 1 leak indicator
Nitrogen1 event · 1 leak indicator
PLAY1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 34
11-50 employees 28
1,001-5,000 employees 15
2-10 employees 15
201-500 employees 15
501-1,000 employees 13

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
J Group	Industrial Machinery Manufacturing	Australia	Claim only	2025-11-09
NightSpire	Public Health	Peru	Data leak	2025-11-09
NightSpire	Government Administration	South Africa	Data leak	2025-11-09
NightSpire	Financial Services	Nigeria	Data leak	2025-11-09
Medusa	Hospitals and Health Care	United States	Data leak	2025-11-09
Qilin	Financial Services	United States	Data leak	2025-11-09
Beast	Mining	Brazil	Claim only	2025-11-09
Beast	Government Administration	Pakistan	Claim only	2025-11-09
Beast	Telecommunications	United States	Claim only	2025-11-09
Qilin	Industrial Automation	Canada	Data leak	2025-11-09
Qilin	Appliances, Electrical, and Electronics Manufacturing	Austria	Claim only	2025-11-09
Qilin	Packaging and Containers Manufacturing	United States	Data leak	2025-11-08

News and research context

Recent articles from the same time window.

Superior Court of San Joaquin County says 'unauthorized person' accessed personal information in cybersecurity incident | abc10.com 2025-11-08

The Superior Court of San Joaquin said that it experienced a cybersecurity incident last year during which personal information was leaked. Officials said an unauthorized pers…

Russian national pleads guilty to breaking into networks for Yanluowang ransomware attacks | CyberScoop 2025-11-08

Related actor: Yanluowang

A25-year-old Russian national pleaded guilty to multiple charges stemming from their participation in ransomware attacks and faces a maximum penalty up to 53 years in prison. A…

Nitrogen ransomware: From staged loader to full-scale extortion 2025-11-08

Related actor: Nitrogen

The Nitrogen group is a sophisticated and financially motivated threat group that was first observed as a malware developer and operator in 2023. Since discovery, Nitrogen has tra…

Decrypted: Midnight Ransomware 2025-11-07

This blog dives into the technical anatomy of Midnight, its lineage from Babuk, and the critical indicators of infection. Most importantly, it offers a practical guide to decrypti…

GTO Statewide Cyber Event AAR Final | DocumentCloud 2025-11-07

The State of Nevada’s Governor’s Technology Office (GTO), under the leadership ofthe Office of the CIO, coordinated the remediation of a targeted cybersecuritybreach that disrupte…

Storing bij RTV Noord door hackers - RTV Noord 2025-11-06

RTV Noord is slachtoffer geworden van hackers. Dat heeft grote gevolgen voor uitzendingen en publicaties op al onze platforms. Er wordt hard gewerkt aan een oplossing. Het is nog…

Communication FCU To Pay Nearly $3M After Cyber Incident Exposed Member Data - CU Today 2025-11-05

Related actor: Hunters International

The $2.3-billion Communication Federal Credit Union has agreed to a $2.9-million settlement following a class-action lawsuit tied to a data breach that occurred between late Decem…

Data breach costs lead to 90% drop in operating profit at South Korean telecom giant | The Record from Recorded Future News 2025-11-04

South Korea’s major mobile carrier, SK Telecom, told shareholders that recovery costs and other losses tied to a data breach earlier this year led to a 90 percent drop in operatin…

Penn hacker claims to have stolen 1.2 million donor records in data breach 2025-11-03

A hacker has taken responsibility for last week's University of Pennsylvania "We got hacked" email incident, saying it was a far more extensive breach that exposed data on 1.2 mil…

Chicago firm that resolves ransomware attacks had rogue workers carrying out their own hacks, FBI says - Chicago Sun-Times 2025-11-03

Rogue employees of a Chicago company that specializes in negotiating ransoms to mitigate cyber attacks were carrying out their own piracy in a plot to extort millions of dollars f…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.