Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-11-12 → 2025-11-18 UTC

Choose a report date

Observed events

146

Public claims in the selected week

Data leak indicators

113

77.4% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

INC Ransom generated the highest visible claim volume this week, representing 15.8% of observed events.

•

77.4% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 10 observed events.

•

2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

11 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-11-18 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

INC Ransom

23 events · 23 leak indicators

Qilin

21 events · 17 leak indicators

Akira

20 events · 16 leak indicators

CL0P

11 events · 8 leak indicators

SAFEPAY

8 events · 8 leak indicators

BlackShrantac

6 events · 0 leak indicators

Everest

5 events · 5 leak indicators

Coinbase Cartel

4 events · 2 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

MedusaLocker 1 event
Skira 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States77

Akira17 events · 13 leak indicators
Qilin11 events · 10 leak indicators
CL0P9 events · 7 leak indicators
INC Ransom9 events · 9 leak indicators
Everest4 events · 4 leak indicators
Coinbase Cartel3 events · 1 leak indicator
PEAR3 events · 3 leak indicators
PLAY3 events · 3 leak indicators

Canada7

Qilin3 events · 2 leak indicators
Akira1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
MedusaLocker1 event · 0 leak indicators
SAFEPAY1 event · 1 leak indicator

India6

BlackShrantac2 events · 0 leak indicators
INC Ransom2 events · 2 leak indicators
CL0P1 event · 0 leak indicators
NightSpire1 event · 1 leak indicator

Switzerland5

RansomHouse2 events · 0 leak indicators
BrotherHood1 event · 0 leak indicators
Qilin1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Australia4

BrotherHood2 events · 0 leak indicators
INC Ransom2 events · 2 leak indicators

Italy4

Qilin2 events · 1 leak indicator
INC Ransom1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Mexico3

Coinbase Cartel1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
RALord1 event · 1 leak indicator

Spain3

Devman1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
World Leaks1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction10

INC Ransom2 events · 2 leak indicators
SAFEPAY2 events · 2 leak indicators
Sinobi2 events · 2 leak indicators
Akira1 event · 1 leak indicator
Medusa1 event · 1 leak indicator
Qilin1 event · 1 leak indicator
RALord1 event · 1 leak indicator

Accounting5

BlackShrantac1 event · 0 leak indicators
MedusaLocker1 event · 0 leak indicators
PEAR1 event · 1 leak indicator
Rhysida1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Advertising Services5

BlackShrantac1 event · 0 leak indicators
CL0P1 event · 1 leak indicator
Coinbase Cartel1 event · 0 leak indicators
Dire Wolf1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator

Oil and Gas5

Akira1 event · 1 leak indicator
CL0P1 event · 1 leak indicator
Everest1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Real Estate5

Akira2 events · 1 leak indicator
DragonForce1 event · 1 leak indicator
INC Ransom1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Appliances, Electrical, and Electronics Manufacturing4

Akira1 event · 1 leak indicator
CL0P1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator
PLAY1 event · 1 leak indicator

Education Administration Programs4

INC Ransom2 events · 2 leak indicators
SAFEPAY2 events · 2 leak indicators

Law Practice4

INC Ransom2 events · 2 leak indicators
Anubis1 event · 0 leak indicators
PEAR1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

51-200 employees 41
11-50 employees 31
201-500 employees 18
1,001-5,000 employees 16
501-1,000 employees 10
2-10 employees 8

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Sinobi	Food and Beverage Manufacturing	United States	Data leak	2025-11-18
Qilin	Design Services	Canada	Data leak	2025-11-18
INC Ransom	Education Administration Programs	Canada	Data leak	2025-11-18
SAFEPAY	Transportation, Logistics, Supply Chain and Storage	Puerto Rico	Data leak	2025-11-18
INC Ransom	Pharmaceutical Manufacturing	India	Data leak	2025-11-18
Skira	Consumer Services	Thailand	Claim only	2025-11-18
INC Ransom	Libraries	United States	Data leak	2025-11-18
INC Ransom	Education Administration Programs	United Kingdom	Data leak	2025-11-18
INC Ransom	Manufacturing	United States	Data leak	2025-11-18
INC Ransom	IT Services and IT Consulting	Germany	Data leak	2025-11-18
Akira	Civil Engineering	United States	Data leak	2025-11-18
Qilin	Retail Office Equipment	Barbados	Data leak	2025-11-18

News and research context

Recent articles from the same time window.

Semi-Annual Report 2025/1 2025-11-18

Ransomware and associated data extortion continue to pose a significant threat to organisations of all types in Switzerland. In the first half of 2025, the NCSC received 57 report…

Ransomware targeting individuals and small businesses: Vulnerabilities and impacts 2025-11-18

This study examines the experiences of 331 Australian individuals and small to medium enterprise (SME) owners who were victims of ransomware. We used survey data to understand how…

Incident de cybersécurité chez Eurofiber France 2025-11-17

Eurofiber France annonce qu’un incident de cybersécurité a été détecté le 13 novembre 2025. Il concerne la plateforme de gestion des tickets utilisée par Eurofiber France et ses m…

Cybersecurity incident information and FAQ - Princeton University 2025-11-17

On November 10, a Princeton University Advancement database containing information about alumni, donors, some faculty, students, parents, and other members of the University commu…

MedQ Agrees to Settlement to Resolve Ransomware Attack Lawsuit 2025-11-14

MedQ Inc., an administrative service provider serving the healthcare industry, has agreed to settle class action litigation over a December 2023 ransomware attack that affected 54…

Average ransomware payments in Australia halve to AUD $711,000 2025-11-14

The average ransom paid by Australian companies following a cyber-attack has dropped to AUD $711,000, almost halving from its peak of AUD $1.35 million last year. The latest data…

Unleashing the Kraken ransomware group 2025-11-13

Related actor: Kraken

The Kraken ransomware group, which emerged in February 2025, employs a double extortion technique and appears to be opportunistic, as it has not concentrated on any specific busin…

Protecting our Merchants: Standing up to Extortion 2025-11-13

Related actor: ShinyHunters

Our statement detailing an incident concerning a legacy system. We outline our commitment to transparency, accountability, and planned investment in cyber security research. La…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.