Alexandru M., a 44-year-old Romanian, was sentenced in Paris to 5 years in prison, of which 1 year is suspended, for his involvement in cyberattacks with the ransomware 'Umbrella'…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2026-01-19 → 2026-01-25 UTC
Choose a report date
Observed events
239
Public claims in the selected week
Data leak indicators
163
68.2% of observed events
Active actors
33
Distinct groups with observed activity
Torrent-linked events
11
Events intersecting with torrent intelligence
What changed this week?
•
CL0P generated the highest visible claim volume this week, representing 18.0% of observed events.
•
68.2% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 15 observed events.
•
7 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
11 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
Coverage snapshot
As of 2026-01-25 UTC.
Leak sites observed this week
33
Leak sites online near report date
0
Threat actor profiles updated this week
2
Countries represented this week
41
Sectors represented this week
89
Top active actors
By observed claim volumeCL0P
43 events · 43 leak indicators
Gentlemen
28 events · 0 leak indicators
Qilin
25 events · 14 leak indicators
Stormous
15 events · 9 leak indicators
Sinobi
14 events · 14 leak indicators
NightSpire
12 events · 10 leak indicators
Akira
10 events · 2 leak indicators
PLAY
10 events · 10 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Stormous 15 events
- ShinyHunters 5 events
- Brain Cipher 3 events
- LynxR 3 events
- Nitrogen 2 events
- Sarcoma 2 events
- BravoX 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States80
- CL0P23 events · 23 leak indicators
- PLAY10 events · 10 leak indicators
- Sinobi10 events · 10 leak indicators
- Qilin6 events · 4 leak indicators
- Akira4 events · 0 leak indicators
- SAFEPAY4 events · 4 leak indicators
- ShinyHunters4 events · 4 leak indicators
- NightSpire3 events · 2 leak indicators
United Kingdom19
- CL0P5 events · 5 leak indicators
- Payouts King3 events · 3 leak indicators
- NightSpire2 events · 1 leak indicator
- Beast1 event · 0 leak indicators
- Brain Cipher1 event · 1 leak indicator
- Crypto241 event · 1 leak indicator
- Everest1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
Canada16
- CL0P11 events · 11 leak indicators
- Akira1 event · 1 leak indicator
- Brain Cipher1 event · 1 leak indicator
- LynxR1 event · 0 leak indicators
- Nitrogen1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Germany9
- Qilin3 events · 1 leak indicator
- Payouts King2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- ShinyHunters1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Taiwan8
- Everest3 events · 3 leak indicators
- NightSpire2 events · 2 leak indicators
- Qilin2 events · 0 leak indicators
- Gentlemen1 event · 0 leak indicators
Italy6
- Gentlemen2 events · 0 leak indicators
- CL0P1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Spain6
- Qilin2 events · 2 leak indicators
- Gentlemen1 event · 0 leak indicators
- NightSpire1 event · 1 leak indicator
- Payouts King1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
India5
- Tengu2 events · 2 leak indicators
- Devman1 event · 0 leak indicators
- Everest1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction15
- CL0P4 events · 4 leak indicators
- Akira3 events · 0 leak indicators
- Payouts King2 events · 2 leak indicators
- Qilin2 events · 1 leak indicator
- SAFEPAY2 events · 2 leak indicators
- BlackShrantac1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
IT Services and IT Consulting8
- CL0P3 events · 3 leak indicators
- Gentlemen2 events · 0 leak indicators
- Qilin2 events · 2 leak indicators
- Everest1 event · 1 leak indicator
Machinery Manufacturing8
- Gentlemen2 events · 0 leak indicators
- NightSpire2 events · 2 leak indicators
- BravoX1 event · 1 leak indicator
- Everest1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Retail8
- Gentlemen2 events · 0 leak indicators
- Sinobi2 events · 2 leak indicators
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- ShinyHunters1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Law Practice7
- CL0P5 events · 5 leak indicators
- Anubis1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
Environmental Services6
- Brain Cipher1 event · 1 leak indicator
- CL0P1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Financial Services6
- CL0P2 events · 2 leak indicators
- Gentlemen2 events · 0 leak indicators
- Qilin1 event · 1 leak indicator
- ShinyHunters1 event · 1 leak indicator
Hospitality6
- CL0P2 events · 2 leak indicators
- Anubis1 event · 0 leak indicators
- Benzona1 event · 0 leak indicators
- LynxR1 event · 0 leak indicators
- Sinobi1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 68
- 51-200 employees 58
- 201-500 employees 29
- 2-10 employees 16
- 501-1,000 employees 15
- 1,001-5,000 employees 13
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Qilin | Machinery Manufacturing | Germany | Data leak | 2026-01-25 |
| Anubis | Hospitality | Bulgaria | Claim only | 2026-01-25 |
| Anubis | Law Practice | New Zealand | Claim only | 2026-01-25 |
| Rhysida | Biotechnology Research | United States | Claim only | 2026-01-25 |
| NightSpire | Biotechnology Research | Vietnam | Data leak | 2026-01-25 |
| NightSpire | Machinery Manufacturing | United Kingdom | Data leak | 2026-01-25 |
| NightSpire | Chemical Manufacturing | Taiwan | Data leak | 2026-01-25 |
| NightSpire | Leisure, Travel and Tourism | Spain | Data leak | 2026-01-25 |
| NightSpire | Retail Apparel and Fashion | Taiwan | Data leak | 2026-01-25 |
| CL0P | Law Practice | United States | Data leak | 2026-01-24 |
| CL0P | Law Practice | United States | Data leak | 2026-01-24 |
| CL0P | Medical Equipment Manufacturing | United States | Data leak | 2026-01-24 |
News and research context
Recent articles from the same time window.
Related actor: INTERLOCK
Winona County was the victim of a ransomware attack this week, affecting computer networks and phone systems. Many of the county’s phone lines and at least some internal networks…
Die Geschäftsstelle der Verkehrsgesellschaft Main-Tauber (VGMT) sowie die Mobilitätszentrale in Lauda sind Ziel eines Cyberangriffs mit einer Schadsoftware geworden. Dies ist am M…
Related actor: ShinyHunters
Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in…
Related actor: Zeppelin
Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022.
Ianis Aleksandrovich Antr…
Das grösste Privatradio der Schweiz wurde am Dienstag gehackt. Betroffen sind Gewinnerinnen und Gewinner von Konzerttickets.
Related actor: Osiris
A new ransomware family called Osiris was used in an attack targeting a major food service franchisee operator in Southeast Asia in November 2025.
While this Osiris ransomware…
Cyber incidents - Inverclyde Council
2026-01-20
Inverclyde Council has experienced cyber incidents which include an education user account being compromised.
We continue to work with the relevant authorities and partners.…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.