Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2026-01-28 → 2026-02-03 UTC

Choose a report date

Observed events

178

Public claims in the selected week

Data leak indicators

107

60.1% of observed events

Active actors

Distinct groups with observed activity

Torrent-linked events

Events intersecting with torrent intelligence

What changed this week?

•

CL0P generated the highest visible claim volume this week, representing 19.1% of observed events.

•

60.1% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.

•

Construction was the most represented sector in this window with 15 observed events.

•

6 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.

•

22 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

•

4 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2026-02-03 UTC.

Leak sites observed this week

Leak sites online near report date

Threat actor profiles updated this week

Countries represented this week

Sectors represented this week

Top active actors

By observed claim volume

CL0P

34 events · 33 leak indicators

Qilin

30 events · 8 leak indicators

Akira

20 events · 5 leak indicators

INC Ransom

15 events · 12 leak indicators

Devman

9 events · 0 leak indicators

Coinbase Cartel

7 events · 5 leak indicators

Everest

7 events · 7 leak indicators

Gentlemen

7 events · 0 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days

Coinbase Cartel 7 events
Linkc 2 events
Green Blood 1 event
Money Message 1 event
Morpheus 1 event
Termite 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

United States88

Akira16 events · 4 leak indicators
Qilin12 events · 3 leak indicators
INC Ransom8 events · 7 leak indicators
Devman7 events · 0 leak indicators
CL0P6 events · 5 leak indicators
Sinobi5 events · 5 leak indicators
Everest4 events · 4 leak indicators
PLAY4 events · 4 leak indicators

Australia12

CL0P11 events · 11 leak indicators
Qilin1 event · 0 leak indicators

Canada12

CL0P9 events · 9 leak indicators
Lynx1 event · 0 leak indicators
Qilin1 event · 0 leak indicators
Sinobi1 event · 1 leak indicator

United Kingdom8

CL0P3 events · 3 leak indicators
Beast1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
INTERLOCK1 event · 1 leak indicator
Qilin1 event · 0 leak indicators
World Leaks1 event · 1 leak indicator

Germany7

Qilin3 events · 0 leak indicators
Coinbase Cartel1 event · 1 leak indicator
Gentlemen1 event · 0 leak indicators
Rhysida1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

France3

Akira1 event · 0 leak indicators
Coinbase Cartel1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Hong Kong3

CL0P2 events · 2 leak indicators
Gentlemen1 event · 0 leak indicators

Italy3

Akira1 event · 1 leak indicator
CL0P1 event · 1 leak indicator
Medusa1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.

Construction15

Akira3 events · 1 leak indicator
CL0P3 events · 3 leak indicators
Qilin3 events · 1 leak indicator
Devman2 events · 0 leak indicators
DragonForce1 event · 1 leak indicator
Gentlemen1 event · 0 leak indicators
Lynx1 event · 1 leak indicator
NightSpire1 event · 1 leak indicator

IT Services and IT Consulting12

CL0P7 events · 7 leak indicators
Devman1 event · 0 leak indicators
Everest1 event · 1 leak indicator
Lynx1 event · 0 leak indicators
Sinobi1 event · 1 leak indicator
World Leaks1 event · 1 leak indicator

Manufacturing8

Qilin2 events · 1 leak indicator
Akira1 event · 0 leak indicators
CL0P1 event · 1 leak indicator
Everest1 event · 1 leak indicator
Gentlemen1 event · 0 leak indicators
Medusa1 event · 1 leak indicator
PLAY1 event · 1 leak indicator

Hospitals and Health Care6

Benzona1 event · 0 leak indicators
CL0P1 event · 0 leak indicators
Everest1 event · 1 leak indicator
Gentlemen1 event · 0 leak indicators
Qilin1 event · 1 leak indicator
Termite1 event · 1 leak indicator

Law Practice6

Akira1 event · 0 leak indicators
Anubis1 event · 0 leak indicators
Devman1 event · 0 leak indicators
INC Ransom1 event · 1 leak indicator
PEAR1 event · 1 leak indicator
Qilin1 event · 0 leak indicators

Legal Services6

INC Ransom3 events · 1 leak indicator
CL0P2 events · 2 leak indicators
DragonForce1 event · 1 leak indicator

Real Estate6

Akira2 events · 0 leak indicators
CL0P2 events · 2 leak indicators
PEAR1 event · 0 leak indicators
PLAY1 event · 1 leak indicator

Accounting5

INC Ransom3 events · 3 leak indicators
Devman1 event · 0 leak indicators
Qilin1 event · 0 leak indicators

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.

11-50 employees 52
51-200 employees 41
2-10 employees 26
201-500 employees 25
1,001-5,000 employees 10
501-1,000 employees 8

Notable actor profile updates

Active actor records only.

New ransom note observed

No ransom-note change logged in this reporting window.

New actor infrastructure / contact channel

No infrastructure/contact-channel change logged in this reporting window.

New vuln / TTP intelligence

No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.

Actor	Sector	Country	Leak proof	Seen
Devman	Wellness and Fitness Services	United States	Claim only	2026-02-03
Lynx	Public Health	Canada	Claim only	2026-02-03
Qilin	Construction	United States	Data leak	2026-02-03
INC Ransom	Services for Renewable Energy	United States	Data leak	2026-02-03
World Leaks	Events Services	Germany	Data leak	2026-02-03
Akira	Business Consulting and Services	United States	Claim only	2026-02-03
Akira	Medical Devices	United States	Claim only	2026-02-03
Akira	Machinery Manufacturing	United States	Claim only	2026-02-03
Akira	Law Practice	United States	Claim only	2026-02-03
Akira	Technology, Information and Internet	Denmark	Claim only	2026-02-03
Linkc	Data Infrastructure and Analytics	United States	Claim only	2026-02-03
Linkc	Aviation and Aerospace Component Manufacturing	United States	Claim only	2026-02-03

News and research context

Recent articles from the same time window.

Nitrogen Ransomware: ESXi malware has a bug! 2026-02-03

Related actor: Nitrogen

Because of this bug, the corrupted public key is used in the key exchange to encrypt each file. Normally, when a public-private Curve25519 keypair is generated, the private key is…

IT-Sicherheit | Hochschule Emden/Leer 2026-02-03

Hochschulen in Deutschland sind wie andere Organisationen täglich Angriffen auf ihre IT-Infrastruktur und Sicherheitssysteme ausgesetzt. Aus diesem Grund haben die Prävention, das…

The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates 2026-02-03

In October 2023, CISA added a knownRansomwareCampaignUse field to KEV, designed to help organizations prioritize more effectively. Relying on KEV for prioritization is already a t…

Security Incident - Jänner 2026 | TU Wien 2026-02-02

Am 23. Jänner 2026 kam es zu einem Security Incident im Bereich des Netzwerks der TU Wien. In diesem Zusammenhang wurden Accounts kompromittiert. Zum aktuellen Zeitpunkt kann nich…

Cybersecurity group identifies person behind Manage My Health hack | RNZ News 2026-02-02

Related actor: Kazu

The International Online Crime Coordination Centre has been tracking the hacker following the breach. "We're just mindful that we're still looking into this individual, and we…

Mass VPS Provider Breach Exposes Critical Virtualizor Flaw, Thousands of Servers Compromised - Cyber Kendra 2026-02-02

VPS ransomware attack hits CloudCone, HostSlick via Virtualizor vulnerability. Customer data was permanently lost. According to discussions in the LowEndTalk community, attacke…

New Britain’s ‘network disruption’ was due to ransomware attack, mayor says 2026-01-31

NEW BRITAIN, Conn. (WTNH) — New Britain Mayor Bobby Sanchez confirmed Friday that the “network disruption” the city’s police department was experiencing was due to a ransomware a…

DOE’s Liberty Eclipse simulates ransomware and stealth attacks to prepare utilities for real-world grid cyber threats - Industrial Cyber 2026-01-30

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response brought utilities, industry experts, and government defenders together on Plum Island,…

Cyber Centre releases Ransomware Threat Outlook 2025 to 2027 2026-01-29

Today, the Canadian Centre for Cyber Security (Cyber Centre), part of the Communications Security Establishment Canada (CSE), released its Ransomware Threat Outlook 2025 to 2027,…

Ransomware crims forced to take off-RAMP as FBI seizes forum • The Register 2026-01-29

Ransomware crims have just lost one of their best business platforms. US law enforcement has seized the notorious RAMP cybercrime forum's dark web and clearnet domains. RAMP, w…

Notes

Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

The page uses a fixed seven-day window based on the selected date.
Only public-facing actor and event records are included.
Counts and breakdowns are designed for trend review, not incident confirmation.