Following a cybersecurity breach, the Land and Agricultural Development Bank of South Africa is under scrutiny as reports emerge of a R50 million ransom demand. The bank has confi…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2026-02-09 → 2026-02-15 UTC
Choose a report date
Observed events
210
Public claims in the selected week
Data leak indicators
145
69.0% of observed events
Active actors
37
Distinct groups with observed activity
Torrent-linked events
6
Events intersecting with torrent intelligence
What changed this week?
•
Gentlemen generated the highest visible claim volume this week, representing 13.8% of observed events.
•
69.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 11 observed events.
•
7 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
6 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2026-02-15 UTC.
Leak sites observed this week
37
Leak sites online near report date
1
Threat actor profiles updated this week
10
Countries represented this week
40
Sectors represented this week
84
Top active actors
By observed claim volumeGentlemen
29 events · 0 leak indicators
Qilin
27 events · 15 leak indicators
CL0P
25 events · 25 leak indicators
LockBit 5.0
19 events · 18 leak indicators
NightSpire
13 events · 11 leak indicators
DragonForce
12 events · 10 leak indicators
INC Ransom
12 events · 9 leak indicators
PLAY
11 events · 11 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Meduza Locker 6 events
- LeakedData 3 events
- Gunra 2 events
- Kairos 2 events
- Cloak 1 event
- Reynolds 1 event
- SecP0 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States98
- CL0P21 events · 21 leak indicators
- Qilin18 events · 10 leak indicators
- PLAY9 events · 9 leak indicators
- INC Ransom6 events · 5 leak indicators
- Akira5 events · 1 leak indicator
- DragonForce5 events · 4 leak indicators
- Sinobi4 events · 3 leak indicators
- Insomnia3 events · 3 leak indicators
Canada12
- Akira2 events · 0 leak indicators
- Meduza Locker2 events · 2 leak indicators
- PLAY2 events · 2 leak indicators
- Qilin2 events · 2 leak indicators
- INC Ransom1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- ShinyHunters1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
India6
- Gentlemen2 events · 0 leak indicators
- NightSpire2 events · 2 leak indicators
- CL0P1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
Brazil5
- Gentlemen3 events · 0 leak indicators
- Beast1 event · 0 leak indicators
- NightSpire1 event · 0 leak indicators
France4
- BravoX1 event · 1 leak indicator
- CL0P1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
United Kingdom4
- Gentlemen2 events · 0 leak indicators
- Qilin2 events · 1 leak indicator
Chile3
- Qilin2 events · 0 leak indicators
- Gentlemen1 event · 0 leak indicators
Germany3
- Cloak1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction11
- Gentlemen4 events · 0 leak indicators
- DragonForce2 events · 2 leak indicators
- INC Ransom2 events · 2 leak indicators
- CL0P1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Financial Services9
- CL0P3 events · 3 leak indicators
- ShinyHunters3 events · 3 leak indicators
- Gunra1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
- LeakedData1 event · 1 leak indicator
IT Services and IT Consulting8
- CL0P4 events · 4 leak indicators
- Gentlemen2 events · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
Legal Services8
- Qilin3 events · 1 leak indicator
- Beast2 events · 0 leak indicators
- CL0P2 events · 2 leak indicators
- SecP01 event · 1 leak indicator
Government Administration6
- Gentlemen3 events · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
- Tengu1 event · 1 leak indicator
Hospitality5
- Gentlemen2 events · 0 leak indicators
- Insomnia1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Hospitals and Health Care5
- Beast1 event · 0 leak indicators
- CL0P1 event · 1 leak indicator
- Genesis1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
- World Leaks1 event · 1 leak indicator
Industrial Machinery Manufacturing5
- Akira1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 52
- 51-200 employees 45
- 201-500 employees 26
- 2-10 employees 24
- 1,001-5,000 employees 18
- 501-1,000 employees 12
Notable actor profile updates
Active actor records only.
New ransom note observed
BQTlock
2026-02-15 UTC
Updating with additional ransom note
New actor infrastructure / contact channel
BlackField
2026-02-11 UTC
Adding new email addresses
New vuln / TTP intelligence
Warlock
2026-02-09 UTC
Adding CVE-2026-24423
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| BravoX | Government Relations | France | Data leak | 2026-02-15 |
| INC Ransom | Pharmaceutical Manufacturing | Taiwan | Data leak | 2026-02-15 |
| ShinyHunters | Financial Services | United States | Data leak | 2026-02-15 |
| ShinyHunters | Financial Services | United States | Data leak | 2026-02-15 |
| Lynx | Food and Beverages | Spain | Data leak | 2026-02-15 |
| PLAY | Construction | United States | Data leak | 2026-02-15 |
| Gentlemen | IT Services and IT Consulting | Switzerland | Claim only | 2026-02-15 |
| Gentlemen | Chemical Manufacturing | Fiji | Claim only | 2026-02-15 |
| Gentlemen | Hospitality | Puerto Rico | Claim only | 2026-02-15 |
| Gentlemen | Construction | India | Claim only | 2026-02-15 |
| Gentlemen | Government Administration | South Africa | Claim only | 2026-02-15 |
| Gentlemen | IT Services and IT Consulting | Tunisia | Claim only | 2026-02-15 |
News and research context
Recent articles from the same time window.
Related actor: Rhysida
OysterLoader, also known as Broomstick and CleanUp, is a malware developed in C++, composed of multiple stages, belonging to the loader (A.k.a.: downloader) malware family. First…
The following is an update to County residents about the recent ransomware attack. Winona County officials are being assisted by nationally recognized cybersecurity and data foren…
Informatiepagina cyberincident | Odido
2026-02-12
Odido is getroffen door een cyberaanval, waarbij gegevens van een aantal klanten zijn geraakt.Odido is getroffen door een cyberaanval, waarbij gegevens van klanten zijn geraakt. H…
Related actor: World Leaks
World Leaks, the cyber-criminal data extortion group which has targeted some of the world’s biggest companies, has added a novel, never-before-seen malware to their arsenal, resea…
Related actor: DragonForce
DragonForce is a ransomware group that first emerged on December 13, 2023, when a user identified as @dragonforce on BreachForums uploaded stolen data. The group developed and dep…
Two Russian nationals stand trial in Paris in a case emblematic of the wave of ransomware attacks that France has seen for more than six years.
The trial opening Wednesday, Feb…
Related actor: Global
We recently observed a high-volume Phorpiex campaign delivered through phishing emails with the subject "Your Document.” It’s a subject line that’s been heavily used in largescale…
Related actor: Akira
Canadian fashion retailer Ardene says it is dealing with a “cyber incident.”
In an email sent to customers on Feb. 9, the Montreal-based company apologized for recent shipping…
Related actor: 0APT
A new threat actor has launched what appears to be a fake ransomware-as-a-service (RaaS) operation called 0APT. Over the last week, 0APT published a data leak site (DLS) with fake…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.