What Happened: Like many other organizations, we recently identified unauthorized access to certain computer systems and immediately took steps to secure and protect your informat…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2026-01-21 → 2026-01-27 UTC
Choose a report date
Observed events
227
Public claims in the selected week
Data leak indicators
168
74.0% of observed events
Active actors
34
Distinct groups with observed activity
Torrent-linked events
18
Events intersecting with torrent intelligence
What changed this week?
•
CL0P generated the highest visible claim volume this week, representing 19.4% of observed events.
•
74.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 17 observed events.
•
7 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
18 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
4 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2026-01-27 UTC.
Leak sites observed this week
34
Leak sites online near report date
4
Threat actor profiles updated this week
2
Countries represented this week
40
Sectors represented this week
80
Top active actors
By observed claim volumeCL0P
44 events · 44 leak indicators
Qilin
22 events · 12 leak indicators
PLAY
15 events · 14 leak indicators
Stormous
15 events · 9 leak indicators
INC Ransom
14 events · 14 leak indicators
NightSpire
14 events · 10 leak indicators
Akira
10 events · 2 leak indicators
Tengu
10 events · 9 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Stormous 15 events
- ShinyHunters 7 events
- Brain Cipher 3 events
- LynxR 3 events
- Abyss 1 event
- BravoX 1 event
- PEAR 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States94
- CL0P26 events · 26 leak indicators
- PLAY14 events · 13 leak indicators
- INC Ransom8 events · 8 leak indicators
- Qilin6 events · 4 leak indicators
- ShinyHunters6 events · 6 leak indicators
- NightSpire5 events · 2 leak indicators
- Sinobi5 events · 5 leak indicators
- Akira4 events · 0 leak indicators
United Kingdom17
- CL0P4 events · 4 leak indicators
- Payouts King3 events · 3 leak indicators
- NightSpire2 events · 1 leak indicator
- Beast1 event · 0 leak indicators
- Brain Cipher1 event · 1 leak indicator
- Crypto241 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- LynxR1 event · 0 leak indicators
Canada16
- CL0P10 events · 10 leak indicators
- Akira1 event · 1 leak indicator
- Brain Cipher1 event · 1 leak indicator
- LynxR1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Germany8
- Qilin3 events · 1 leak indicator
- Payouts King2 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
- ShinyHunters1 event · 1 leak indicator
Argentina4
- Qilin3 events · 3 leak indicators
- SAFEPAY1 event · 1 leak indicator
India4
- Tengu2 events · 1 leak indicator
- Devman1 event · 0 leak indicators
- Sinobi1 event · 1 leak indicator
Spain4
- NightSpire1 event · 1 leak indicator
- Payouts King1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Taiwan4
- NightSpire2 events · 2 leak indicators
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction17
- CL0P5 events · 5 leak indicators
- Akira3 events · 0 leak indicators
- INC Ransom2 events · 2 leak indicators
- Payouts King2 events · 2 leak indicators
- BlackShrantac1 event · 0 leak indicators
- PLAY1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
Law Practice11
- CL0P5 events · 5 leak indicators
- INC Ransom2 events · 2 leak indicators
- Anubis1 event · 0 leak indicators
- NightSpire1 event · 0 leak indicators
- PEAR1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Hospitality8
- CL0P3 events · 3 leak indicators
- Anubis1 event · 0 leak indicators
- Benzona1 event · 0 leak indicators
- BlackShrantac1 event · 0 leak indicators
- Genesis1 event · 0 leak indicators
- LynxR1 event · 0 leak indicators
Real Estate7
- CL0P5 events · 5 leak indicators
- Stormous1 event · 1 leak indicator
- Tengu1 event · 1 leak indicator
Retail7
- Sinobi2 events · 2 leak indicators
- Abyss1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- ShinyHunters1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Environmental Services6
- PLAY2 events · 2 leak indicators
- Brain Cipher1 event · 1 leak indicator
- CL0P1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
Architecture and Planning5
- CL0P3 events · 3 leak indicators
- Akira1 event · 0 leak indicators
- NightSpire1 event · 0 leak indicators
IT Services and IT Consulting5
- CL0P3 events · 3 leak indicators
- Qilin2 events · 2 leak indicators
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 67
- 51-200 employees 54
- 201-500 employees 27
- 2-10 employees 19
- 1,001-5,000 employees 10
- 501-1,000 employees 7
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| INC Ransom | Automotive | Thailand | Data leak | 2026-01-27 |
| INC Ransom | Law Practice | United States | Data leak | 2026-01-27 |
| INC Ransom | Religious Institutions | United States | Data leak | 2026-01-27 |
| INC Ransom | Construction | United States | Data leak | 2026-01-27 |
| INC Ransom | Primary and Secondary Education | United Kingdom | Data leak | 2026-01-27 |
| ShinyHunters | Software Development | United States | Data leak | 2026-01-27 |
| INC Ransom | Legal Services | United States | Data leak | 2026-01-27 |
| Sinobi | Construction | United States | Data leak | 2026-01-27 |
| Sinobi | Transportation, Logistics, Supply Chain and Storage | United States | Data leak | 2026-01-27 |
| Sinobi | Insurance | Canada | Data leak | 2026-01-27 |
| Nitrogen | Chemical Manufacturing | United States | Data leak | 2026-01-27 |
| Tengu | Travel Arrangements | Egypt | Data leak | 2026-01-27 |
News and research context
Recent articles from the same time window.
Germany's Dresden State Art Collections, or SKD which manages 15 museums and is among the oldest museum networks in Europe had its online ticket sales, visitor services, and shop…
Related actor: Insomnia
Enviro-Hub Holdings Ltd. has shared an announcement.
Enviro-Hub Holdings has disclosed that its group servers were recently hit by a ransomware attack, with an unknown party ga…
The report features insights from the Health-ISAC Ransomware Events Database, Indicator Sharing program, Physical Security, and Targeted Alerts initiative, showcasing the communit…
Alexandru M., a 44-year-old Romanian, was sentenced in Paris to 5 years in prison, of which 1 year is suspended, for his involvement in cyberattacks with the ransomware 'Umbrella'…
Winona County was the victim of a ransomware attack this week, affecting computer networks and phone systems. Many of the county’s phone lines and at least some internal networks…
Die Geschäftsstelle der Verkehrsgesellschaft Main-Tauber (VGMT) sowie die Mobilitätszentrale in Lauda sind Ziel eines Cyberangriffs mit einer Schadsoftware geworden. Dies ist am M…
Related actor: ShinyHunters
Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in…
Related actor: Zeppelin
Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022.
Ianis Aleksandrovich Antr…
Das grösste Privatradio der Schweiz wurde am Dienstag gehackt. Betroffen sind Gewinnerinnen und Gewinner von Konzerttickets.
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.