Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-12-03 → 2025-12-09 UTC

Choose a report date

Observed events

209

Public claims in the selected week

Data leak indicators

138

66.0% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

Qilin generated the highest visible claim volume this week, representing 24.4% of observed events.

•

66.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Real Estate was the most represented sector in this window with 13 observed events.

•

2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

14 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2025-12-09 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

Qilin

51 events · 27 leak indicators

Akira

26 events · 14 leak indicators

LockBit 5.0

22 events · 22 leak indicators

Sinobi

13 events · 12 leak indicators

Coinbase Cartel

12 events · 1 leak indicator

SAFEPAY

10 events · 10 leak indicators

DragonForce

9 events · 9 leak indicators

INC Ransom

6 events · 4 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

LockBit 5.0 22 events
Embargo 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States85

Qilin24 events · 14 leak indicators
Akira18 events · 7 leak indicators
Sinobi10 events · 9 leak indicators
DragonForce5 events · 5 leak indicators
INC Ransom3 events · 2 leak indicators
Anubis2 events · 0 leak indicators
Devman2 events · 0 leak indicators
Genesis2 events · 0 leak indicators

Canada14

Akira3 events · 2 leak indicators
Qilin3 events · 2 leak indicators
DragonForce2 events · 2 leak indicators
INC Ransom1 event · 1 leak indicator
INTERLOCK1 event · 1 leak indicator
Lynx1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator
SECUROTROP1 event · 1 leak indicator

United Arab Emirates11

Coinbase Cartel10 events · 1 leak indicator
ROOT1 event · 0 leak indicators

Germany8

SAFEPAY5 events · 5 leak indicators
Akira3 events · 3 leak indicators

France6

Qilin4 events · 4 leak indicators
Devman1 event · 0 leak indicators
Rhysida1 event · 1 leak indicator

United Kingdom6

Qilin3 events · 1 leak indicator
Chaos1 event · 1 leak indicator
Genesis1 event · 0 leak indicators
Kazu1 event · 0 leak indicators

Australia5

SAFEPAY3 events · 3 leak indicators
INC Ransom1 event · 1 leak indicator
Qilin1 event · 1 leak indicator

Brazil5

World Leaks3 events · 3 leak indicators
RALord1 event · 1 leak indicator
Space Bears1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Real Estate13

Coinbase Cartel10 events · 1 leak indicator
Qilin1 event · 0 leak indicators
ROOT1 event · 0 leak indicators
Sinobi1 event · 1 leak indicator

Construction11

Qilin6 events · 4 leak indicators
Akira2 events · 0 leak indicators
Anubis1 event · 0 leak indicators
NightSpire1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Retail9

Qilin4 events · 2 leak indicators
World Leaks2 events · 2 leak indicators
Akira1 event · 0 leak indicators
Benzona1 event · 0 leak indicators
Sinobi1 event · 1 leak indicator

Government Administration7

Qilin3 events · 3 leak indicators
Anubis1 event · 0 leak indicators
DragonForce1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Law Practice7

Akira2 events · 1 leak indicator
LeakedData2 events · 2 leak indicators
Genesis1 event · 0 leak indicators
INC Ransom1 event · 0 leak indicators
Qilin1 event · 0 leak indicators

Legal Services7

Qilin3 events · 0 leak indicators
Akira2 events · 1 leak indicator
DragonForce1 event · 1 leak indicator
SAFEPAY1 event · 1 leak indicator

Architecture and Planning6

Qilin4 events · 3 leak indicators
Akira1 event · 0 leak indicators
Sinobi1 event · 1 leak indicator

Civil Engineering6

Akira2 events · 1 leak indicator
Sinobi2 events · 2 leak indicators
Qilin1 event · 0 leak indicators
SECUROTROP1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

11-50 employees 56
51-200 employees 49
201-500 employees 29
501-1,000 employees 19
2-10 employees 11
1,001-5,000 employees 7

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Sinobi	Civil Engineering	United States	Data leak	2025-12-09
Sinobi	Biotechnology Research	Netherlands	Data leak	2025-12-09
Sinobi	Retail Luxury Goods and Jewelry	United States	Data leak	2025-12-09
Leaknet Blog	Hospitals and Health Care	Cyprus	Data leak	2025-12-09
Qilin	Travel Arrangements	Argentina	Data leak	2025-12-09
Qilin	Retail	United Kingdom	Data leak	2025-12-09
Devman	Hospitals and Health Care	United States	Claim only	2025-12-09
Devman	Non-profit Organizations	France	Claim only	2025-12-09
Qilin	Construction	Singapore	Claim only	2025-12-09
Qilin	Retail	Paraguay	Claim only	2025-12-09
Qilin	Law Firm	France	Data leak	2025-12-09
Genesis	Staffing and Recruiting	United Kingdom	Claim only	2025-12-09

News and research context

Recent articles from the same time window.

New BYOVD loader behind DeadLock ransomware attack 2025-12-09

Related actor: DeadLock

Talos observed that the threat actor deployed DeadLock ransomware as the payload in their attack. DeadLock ransomware has been active since as early as July 2025 and, unlike other…

Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses 2025-12-09

Related actor: Makop

The pattern which emerged was that attackers prefer to work in a low complexity and low effort manner. Most victims were compromised through RDP and frequently after that attacker…

Village of Golf Manor considering paying ransom amid cyberattack 2025-12-09

The village of Golf Manor will consider paying a $10,000 ransom to unlock computer systems affected by a recent cyberattack. The ransomware attack infiltrated and encrypted the…

Ladies’ College is targeted in a ransomware attack 2025-12-06

No data, including information on pupils, was understood to be accessed or copied. But the school immediately reported itself to the Office of the Data Protection Authority for…

FinCEN Issues Financial Trend Analysis on Ransomware | FinCEN.gov 2025-12-05

Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA)…

Communiqué du 26 novembre relatif au vol de données - FFF 2025-12-04

La FFF informe que le logiciel utilisé par les clubs pour leur gestion administrative et notamment celle de leurs licenciés a été victime d’un acte de cybermalveillance et d’un vo…

Fintech firm Marquis notifies affected business after ransomware breach 2025-12-04

Dec 3 (Reuters) - Fintech firm Marquis is notifying U.S. banks and credit unions after an August ransomware attack allowed hackers to access files containing customer data, accord…

University of Pennsylvania, Data Breach Notification 2025-12-03

We are writing to notify you of a data security incident in a third-party Oracle software application at the University of Pennsylvania (“Penn” or “University”) that involved some…

NCFE is actively responding to a cyber security incident | NCFE 2025-12-03

NCFE is actively responding to a cyber security incident after we discovered suspicious activity on our systems late last week. While this remains ongoing, we wanted to make custo…

Prvé slová ministerstva hospodárstva o kybernetickom útoku: Došlo k najhoršiemu?! | Koktejl.sk 2025-12-03

Ministerstvo hospodárstva (MH) SR v priebehu utorka identifikovalo podozrenie na kybernetický incident zameraný na rezortné informačné systémy. Pokus o prienik bol odhalený včas a…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.