Baker University is providing notice of a recent data security event that may affect the security of information related to certain individuals. This notice provides information a…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-12-17 → 2025-12-23 UTC
Choose a report date
Observed events
195
Public claims in the selected week
Data leak indicators
112
57.4% of observed events
Active actors
35
Distinct groups with observed activity
Torrent-linked events
1
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 30.8% of observed events.
•
57.4% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 12 observed events.
•
4 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
1 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
2 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-12-23 UTC.
Leak sites observed this week
35
Leak sites online near report date
2
Threat actor profiles updated this week
2
Countries represented this week
39
Sectors represented this week
86
Top active actors
By observed claim volumeQilin
60 events · 31 leak indicators
Sinobi
20 events · 12 leak indicators
SAFEPAY
17 events · 17 leak indicators
Akira
12 events · 1 leak indicator
Devman
12 events · 0 leak indicators
Dire Wolf
10 events · 10 leak indicators
INC Ransom
8 events · 5 leak indicators
Lynx
7 events · 7 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Dire Wolf 10 events
- LOCKDOWN 5 events
- Osiris 1 event
- Termite 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States84
- Qilin23 events · 14 leak indicators
- Sinobi16 events · 10 leak indicators
- Akira10 events · 1 leak indicator
- SAFEPAY7 events · 7 leak indicators
- INC Ransom4 events · 3 leak indicators
- Lynx4 events · 4 leak indicators
- DragonForce3 events · 3 leak indicators
- Anubis2 events · 0 leak indicators
Canada14
- Qilin5 events · 2 leak indicators
- Devman2 events · 0 leak indicators
- SAFEPAY2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- LOCKDOWN1 event · 0 leak indicators
- PLAY1 event · 0 leak indicators
- Sinobi1 event · 0 leak indicators
Germany10
- SAFEPAY6 events · 6 leak indicators
- Qilin3 events · 2 leak indicators
- Lynx1 event · 1 leak indicator
Italy6
- Qilin3 events · 2 leak indicators
- INC Ransom1 event · 0 leak indicators
- Medusa1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Malaysia6
- Dire Wolf3 events · 3 leak indicators
- Qilin2 events · 1 leak indicator
- WALocker1 event · 1 leak indicator
Argentina5
- Qilin4 events · 3 leak indicators
- Dire Wolf1 event · 1 leak indicator
France5
- Qilin2 events · 0 leak indicators
- Crypto241 event · 1 leak indicator
- Devman1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
Spain5
- Qilin2 events · 2 leak indicators
- Devman1 event · 0 leak indicators
- Everest1 event · 1 leak indicator
- RansomHouse1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction12
- SAFEPAY5 events · 5 leak indicators
- Qilin3 events · 1 leak indicator
- Sinobi2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
Food and Beverage Services8
- Qilin5 events · 1 leak indicator
- Akira1 event · 0 leak indicators
- Gentlemen1 event · 0 leak indicators
- Medusa1 event · 1 leak indicator
Hospitals and Health Care8
- Qilin2 events · 1 leak indicator
- Anubis1 event · 0 leak indicators
- Devman1 event · 0 leak indicators
- LOCKDOWN1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
- Termite1 event · 1 leak indicator
Law Practice7
- Qilin2 events · 0 leak indicators
- Akira1 event · 0 leak indicators
- Dire Wolf1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
- Rhysida1 event · 1 leak indicator
Transportation, Logistics, Supply Chain and Storage6
- Dire Wolf2 events · 2 leak indicators
- Lynx2 events · 2 leak indicators
- Devman1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
Appliances, Electrical, and Electronics Manufacturing5
- Qilin2 events · 2 leak indicators
- LOCKDOWN1 event · 0 leak indicators
- RALord1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Financial Services5
- Leaknet Blog1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Machinery Manufacturing5
- Sinobi2 events · 1 leak indicator
- Akira1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- SECUROTROP1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 52
- 51-200 employees 50
- 201-500 employees 30
- 2-10 employees 18
- 1,001-5,000 employees 14
- 501-1,000 employees 9
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Anubis | Mechanical or Industrial Engineering | United Kingdom | Claim only | 2025-12-23 |
| Qilin | Primary and Secondary Education | United States | Data leak | 2025-12-23 |
| Qilin | Financial Services | Puerto Rico | Claim only | 2025-12-23 |
| SAFEPAY | Education Management | United States | Data leak | 2025-12-23 |
| Leaknet Blog | Manufacturing | China | Data leak | 2025-12-23 |
| Qilin | Food and Beverage Services | Italy | Data leak | 2025-12-23 |
| Qilin | Construction | Canada | Data leak | 2025-12-23 |
| Qilin | Education Administration Programs | Canada | Data leak | 2025-12-23 |
| Qilin | Retail | United States | Data leak | 2025-12-23 |
| Qilin | Executive Offices | United States | Data leak | 2025-12-23 |
| Qilin | Hospitals and Health Care | United States | Data leak | 2025-12-23 |
| Qilin | Industrial Automation | United States | Data leak | 2025-12-23 |
News and research context
Recent articles from the same time window.
Romania's cybersecurity agency confirms a major ransomware attack on the country's water management administration has compromised around 1,000 systems, with work to remediate the…
An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, an…
Related actor: CL0P
The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.
Gladinet CentreStack enabl…
Minersville School District continues to probe ransomware attack – Pottsville Republican Herald
2025-12-18
The Minersville School District on Wednesday continued to investigate a ransomware attack that forced it to close schools for two days so far and left the district unable to acces…
Officials at the Ungava Tulattavik Health Centre (UTHC) in Kuujjuaq, Que., say a cyberattack in November compromised some client and staff information.
Early analyses "indicat…
Ombudsman IT systems taken offline after ransomware attack as data may have been accessed
2025-12-18
THE OFFICE OF the Ombudsman has taken its IT systems offline after being targeted in a “financially motivated” ransomware attack, with investigators operating on the basis that da…
We hereby announce that our local subsidiary in Vietnam, DAINICHI COLOR VIETNAM CO., LTD. (the “Subsidiary”), has experienced unauthorized access by a third party, resulting in a…
[11/20/2025] – Fieldtex Products, Inc. (“Fieldtex”) has become aware of a data security incident that may have impacted certain protected health information. Fieldtex is a medical…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.