Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-12-01 → 2025-12-07 UTC
Choose a report date
Previous week Next week
Observed events
206
Public claims in the selected week
Data leak indicators
132
64.1% of observed events
Active actors
34
Distinct groups with observed activity
Torrent-linked events
12
Events intersecting with torrent intelligence

What changed this week?

Qilin generated the highest visible claim volume this week, representing 24.3% of observed events.
64.1% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
Construction was the most represented sector in this window with 14 observed events.
2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
12 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2025-12-07 UTC.
Leak sites observed this week
34
Leak sites online near report date
1
Threat actor profiles updated this week
1
Countries represented this week
37
Sectors represented this week
77

Top active actors

By observed claim volume
Qilin
50 events · 20 leak indicators
Akira
26 events · 12 leak indicators
LockBit 5.0
22 events · 22 leak indicators
Devman
11 events · 6 leak indicators
INC Ransom
9 events · 7 leak indicators
SAFEPAY
9 events · 9 leak indicators
Sinobi
9 events · 8 leak indicators
DragonForce
8 events · 8 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days
  • LockBit 5.0 22 events
  • Embargo 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States93
  • Qilin21 events · 11 leak indicators
  • Akira19 events · 8 leak indicators
  • Sinobi9 events · 8 leak indicators
  • DragonForce5 events · 5 leak indicators
  • PLAY5 events · 5 leak indicators
  • Genesis4 events · 0 leak indicators
  • INC Ransom4 events · 3 leak indicators
  • Devman3 events · 2 leak indicators
Canada11
  • Akira3 events · 0 leak indicators
  • Qilin3 events · 2 leak indicators
  • Devman1 event · 1 leak indicator
  • DragonForce1 event · 1 leak indicator
  • INC Ransom1 event · 1 leak indicator
  • Lynx1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Germany10
  • SAFEPAY5 events · 5 leak indicators
  • Akira1 event · 1 leak indicator
  • Chaos1 event · 1 leak indicator
  • DragonForce1 event · 1 leak indicator
  • Qilin1 event · 0 leak indicators
  • RansomHouse1 event · 0 leak indicators
Australia7
  • SAFEPAY3 events · 3 leak indicators
  • INC Ransom2 events · 2 leak indicators
  • Qilin2 events · 1 leak indicator
France4
  • Qilin3 events · 3 leak indicators
  • Rhysida1 event · 1 leak indicator
Japan4
  • Coinbase Cartel1 event · 0 leak indicators
  • INC Ransom1 event · 0 leak indicators
  • Lynx1 event · 1 leak indicator
  • Qilin1 event · 0 leak indicators
Switzerland4
  • Akira1 event · 1 leak indicator
  • Everest1 event · 1 leak indicator
  • Qilin1 event · 0 leak indicators
  • ROOT1 event · 0 leak indicators
Italy3
  • DATACARRY1 event · 1 leak indicator
  • LockBit 5.01 event · 1 leak indicator
  • Qilin1 event · 0 leak indicators

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction14
  • Qilin4 events · 3 leak indicators
  • Akira3 events · 1 leak indicator
  • PLAY2 events · 2 leak indicators
  • Anubis1 event · 0 leak indicators
  • INC Ransom1 event · 1 leak indicator
  • NightSpire1 event · 1 leak indicator
  • RADAR1 event · 1 leak indicator
  • Sinobi1 event · 1 leak indicator
Legal Services9
  • Qilin5 events · 1 leak indicator
  • Akira2 events · 1 leak indicator
  • DragonForce1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Motor Vehicle Manufacturing7
  • Qilin3 events · 1 leak indicator
  • Akira1 event · 0 leak indicators
  • Chaos1 event · 1 leak indicator
  • INC Ransom1 event · 0 leak indicators
  • PLAY1 event · 1 leak indicator
Civil Engineering6
  • Akira2 events · 1 leak indicator
  • Genesis1 event · 0 leak indicators
  • Qilin1 event · 0 leak indicators
  • SECUROTROP1 event · 1 leak indicator
  • Sinobi1 event · 1 leak indicator
Hospitals and Health Care6
  • CiphBit1 event · 1 leak indicator
  • Devman1 event · 1 leak indicator
  • INC Ransom1 event · 1 leak indicator
  • Kazu1 event · 0 leak indicators
  • RALord1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Retail6
  • Akira1 event · 0 leak indicators
  • Benzona1 event · 0 leak indicators
  • Genesis1 event · 0 leak indicators
  • INC Ransom1 event · 1 leak indicator
  • Qilin1 event · 0 leak indicators
  • Sinobi1 event · 1 leak indicator
Transportation, Logistics, Supply Chain and Storage6
  • Qilin2 events · 0 leak indicators
  • DragonForce1 event · 1 leak indicator
  • NightSpire1 event · 1 leak indicator
  • PLAY1 event · 1 leak indicator
  • Trident1 event · 1 leak indicator
Law Practice5
  • Akira2 events · 1 leak indicator
  • LeakedData2 events · 2 leak indicators
  • INC Ransom1 event · 0 leak indicators

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.
  • 11-50 employees 50
  • 51-200 employees 46
  • 201-500 employees 26
  • 501-1,000 employees 17
  • 2-10 employees 14
  • 1,001-5,000 employees 8

Notable actor profile updates

Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.
Actor Sector Country Leak proof Seen
Devman Software Development Norway Claim only 2025-12-07
Sinobi Accounting United States Claim only 2025-12-07
Qilin Architecture and Planning United States Data leak 2025-12-07
Qilin Government Administration Australia Data leak 2025-12-07
Sinobi Oil and Gas United States Data leak 2025-12-07
Sinobi Real Estate United States Data leak 2025-12-07
Sinobi Retail United States Data leak 2025-12-07
Rhysida Furniture and Home Furnishings Manufacturing United States Data leak 2025-12-07
Qilin Civil Engineering Philippines Claim only 2025-12-07
Qilin Oil and Gas United States Data leak 2025-12-07
Qilin Medical Practice United States Claim only 2025-12-07
INC Ransom Motor Vehicle Manufacturing Japan Claim only 2025-12-07

News and research context

Recent articles from the same time window.

Notes

  • Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
  • Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
  • Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
  • The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

  • The page uses a fixed seven-day window based on the selected date.
  • Only public-facing actor and event records are included.
  • Counts and breakdowns are designed for trend review, not incident confirmation.