Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2025-12-15 → 2025-12-21 UTC
Choose a report date
Previous week Next week
Observed events
205
Public claims in the selected week
Data leak indicators
111
54.1% of observed events
Active actors
37
Distinct groups with observed activity
Torrent-linked events
1
Events intersecting with torrent intelligence

What changed this week?

Qilin generated the highest visible claim volume this week, representing 18.5% of observed events.
54.1% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
Construction was the most represented sector in this window with 16 observed events.
5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
1 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2025-12-21 UTC.
Leak sites observed this week
37
Leak sites online near report date
0
Threat actor profiles updated this week
2
Countries represented this week
36
Sectors represented this week
79

Top active actors

By observed claim volume
Qilin
38 events · 14 leak indicators
Sinobi
31 events · 8 leak indicators
SAFEPAY
23 events · 23 leak indicators
Akira
13 events · 1 leak indicator
Devman
12 events · 0 leak indicators
INC Ransom
12 events · 9 leak indicators
DragonForce
9 events · 9 leak indicators
Payouts King
9 events · 9 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days
  • MS13-089 2 events
  • Kairos 1 event
  • Osiris 1 event
  • Termite 1 event
  • WALocker 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States94
  • Sinobi26 events · 6 leak indicators
  • Akira12 events · 1 leak indicator
  • Qilin10 events · 3 leak indicators
  • SAFEPAY9 events · 9 leak indicators
  • DragonForce6 events · 6 leak indicators
  • INC Ransom6 events · 5 leak indicators
  • PLAY4 events · 4 leak indicators
  • Anubis3 events · 0 leak indicators
Canada15
  • Qilin3 events · 0 leak indicators
  • Devman2 events · 0 leak indicators
  • INC Ransom2 events · 2 leak indicators
  • SAFEPAY2 events · 2 leak indicators
  • Akira1 event · 0 leak indicators
  • Anubis1 event · 0 leak indicators
  • DragonForce1 event · 1 leak indicator
  • Nitrogen1 event · 1 leak indicator
Germany14
  • SAFEPAY10 events · 10 leak indicators
  • Payouts King3 events · 3 leak indicators
  • Qilin1 event · 1 leak indicator
France6
  • Crypto241 event · 1 leak indicator
  • Devman1 event · 0 leak indicators
  • Payouts King1 event · 1 leak indicator
  • Qilin1 event · 0 leak indicators
  • SAFEPAY1 event · 1 leak indicator
  • World Leaks1 event · 1 leak indicator
Italy6
  • Sinobi2 events · 1 leak indicator
  • Everest1 event · 0 leak indicators
  • INC Ransom1 event · 0 leak indicators
  • Medusa1 event · 1 leak indicator
  • MS13-0891 event · 1 leak indicator
United Kingdom5
  • Devman1 event · 0 leak indicators
  • DragonForce1 event · 1 leak indicator
  • Payouts King1 event · 1 leak indicator
  • Sinobi1 event · 1 leak indicator
  • World Leaks1 event · 1 leak indicator
Argentina3
  • Qilin3 events · 3 leak indicators
Belgium3
  • Payouts King1 event · 1 leak indicator
  • Qilin1 event · 1 leak indicator
  • RALord1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction16
  • SAFEPAY6 events · 6 leak indicators
  • Sinobi3 events · 1 leak indicator
  • Qilin2 events · 0 leak indicators
  • Akira1 event · 0 leak indicators
  • DragonForce1 event · 1 leak indicator
  • INC Ransom1 event · 1 leak indicator
  • Nitrogen1 event · 1 leak indicator
  • Payouts King1 event · 1 leak indicator
Legal Services9
  • SAFEPAY3 events · 3 leak indicators
  • DragonForce2 events · 2 leak indicators
  • Anubis1 event · 0 leak indicators
  • MS13-0891 event · 1 leak indicator
  • Sinobi1 event · 0 leak indicators
  • World Leaks1 event · 1 leak indicator
Law Practice8
  • Qilin3 events · 0 leak indicators
  • World Leaks2 events · 2 leak indicators
  • Akira1 event · 0 leak indicators
  • INC Ransom1 event · 1 leak indicator
  • Rhysida1 event · 1 leak indicator
Hospitals and Health Care6
  • Anubis1 event · 0 leak indicators
  • MS13-0891 event · 0 leak indicators
  • RALord1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
  • Sinobi1 event · 0 leak indicators
  • Termite1 event · 1 leak indicator
Real Estate6
  • Sinobi2 events · 1 leak indicator
  • Akira1 event · 0 leak indicators
  • INC Ransom1 event · 0 leak indicators
  • PEAR1 event · 1 leak indicator
  • Qilin1 event · 0 leak indicators
Engineering Services5
  • Sinobi2 events · 0 leak indicators
  • Akira1 event · 0 leak indicators
  • Crypto241 event · 1 leak indicator
  • Gentlemen1 event · 0 leak indicators
Food and Beverage Services5
  • Qilin2 events · 0 leak indicators
  • Akira1 event · 0 leak indicators
  • Gentlemen1 event · 0 leak indicators
  • Medusa1 event · 1 leak indicator
IT Services and IT Consulting5
  • Qilin2 events · 1 leak indicator
  • BlackShrantac1 event · 0 leak indicators
  • Coinbase Cartel1 event · 0 leak indicators
  • Payouts King1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.
  • 11-50 employees 56
  • 51-200 employees 52
  • 2-10 employees 26
  • 201-500 employees 26
  • 1,001-5,000 employees 7
  • 501-1,000 employees 7

Notable actor profile updates

Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.
Actor Sector Country Leak proof Seen
Qilin Staffing and Recruiting United States Data leak 2025-12-21
Anubis Medical Practice United States Claim only 2025-12-21
DragonForce Construction Slovakia Data leak 2025-12-21
INC Ransom Motor Vehicle Manufacturing Italy Claim only 2025-12-21
INC Ransom Sporting Goods Manufacturing Hungary Claim only 2025-12-21
INC Ransom Law Practice United States Data leak 2025-12-21
Lynx Transportation, Logistics, Supply Chain and Storage Paraguay Data leak 2025-12-21
PLAY Security Systems Services Canada Claim only 2025-12-20
PLAY Civil Engineering United States Data leak 2025-12-20
Qilin Luxury Goods and Jewelry Belgium Data leak 2025-12-20
Qilin Telecommunications Peru Claim only 2025-12-20
Qilin Construction United States Claim only 2025-12-20

News and research context

Recent articles from the same time window.
Prosper Notice of Data Breach - Prosper 2025-12-15
On September 1, 2025, Prosper discovered unauthorized activity on our systems. We acted quickly to stop the activity and enhance our security measures, and we began working with a…

Notes

  • Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
  • Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
  • Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
  • The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

  • The page uses a fixed seven-day window based on the selected date.
  • Only public-facing actor and event records are included.
  • Counts and breakdowns are designed for trend review, not incident confirmation.