In its ‘The 2026 VulnCheck: Exploit Intelligence Report,’ VulnCheck identified 50 routinely targeted vulnerabilities that carried elevated risk by year’s end, while proof-of-conce…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2026-02-23 → 2026-03-01 UTC
Choose a report date
Observed events
221
Public claims in the selected week
Data leak indicators
121
54.8% of observed events
Active actors
41
Distinct groups with observed activity
Torrent-linked events
5
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 20.4% of observed events.
•
54.8% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 16 observed events.
•
6 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
5 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
Coverage snapshot
As of 2026-03-01 UTC.
Leak sites observed this week
41
Leak sites online near report date
0
Threat actor profiles updated this week
3
Countries represented this week
37
Sectors represented this week
86
Top active actors
By observed claim volumeQilin
45 events · 25 leak indicators
Gentlemen
28 events · 0 leak indicators
Vect
20 events · 6 leak indicators
INC Ransom
16 events · 16 leak indicators
NightSpire
12 events · 3 leak indicators
Akira
11 events · 5 leak indicators
DragonForce
7 events · 7 leak indicators
CipherForce
6 events · 4 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Vect 20 events
- CipherForce 6 events
- Atomsilo 1 event
- Blackout 1 event
- KITTYKATKREW 1 event
- MyData 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States91
- Qilin25 events · 18 leak indicators
- INC Ransom8 events · 8 leak indicators
- Akira7 events · 4 leak indicators
- DragonForce5 events · 5 leak indicators
- LeakedData5 events · 5 leak indicators
- NightSpire5 events · 0 leak indicators
- PEAR4 events · 4 leak indicators
- Termite4 events · 2 leak indicators
Brazil8
- Vect4 events · 2 leak indicators
- Gentlemen2 events · 0 leak indicators
- Gunra1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
Canada8
- Akira2 events · 0 leak indicators
- Gentlemen2 events · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- NightSpire1 event · 0 leak indicators
- Payouts King1 event · 1 leak indicator
- SecP01 event · 0 leak indicators
Thailand8
- Gentlemen6 events · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Germany7
- Akira1 event · 1 leak indicator
- Coinbase Cartel1 event · 0 leak indicators
- Gentlemen1 event · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Italy7
- NightSpire2 events · 1 leak indicator
- Qilin2 events · 0 leak indicators
- Payload1 event · 1 leak indicator
- Tengu1 event · 1 leak indicator
- Vect1 event · 0 leak indicators
France5
- Qilin2 events · 0 leak indicators
- Coinbase Cartel1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
India5
- Vect4 events · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction16
- PLAY3 events · 3 leak indicators
- DragonForce2 events · 2 leak indicators
- INC Ransom2 events · 2 leak indicators
- NightSpire2 events · 0 leak indicators
- Qilin2 events · 1 leak indicator
- BlackShrantac1 event · 0 leak indicators
- Insomnia1 event · 1 leak indicator
- Payload1 event · 1 leak indicator
Financial Services9
- LeakedData2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- Gentlemen1 event · 0 leak indicators
- Insomnia1 event · 1 leak indicator
- KITTYKATKREW1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- ShinyHunters1 event · 1 leak indicator
- Vect1 event · 1 leak indicator
Hospitals and Health Care8
- Gentlemen3 events · 0 leak indicators
- Anubis1 event · 0 leak indicators
- Kairos1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- Termite1 event · 1 leak indicator
- Vect1 event · 1 leak indicator
IT Services and IT Consulting8
- Vect2 events · 0 leak indicators
- CipherForce1 event · 1 leak indicator
- Coinbase Cartel1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Linkc1 event · 0 leak indicators
- NightSpire1 event · 0 leak indicators
- Tengu1 event · 1 leak indicator
Software Development8
- CipherForce2 events · 1 leak indicator
- Coinbase Cartel2 events · 2 leak indicators
- Vect2 events · 1 leak indicator
- Akira1 event · 1 leak indicator
- NightSpire1 event · 0 leak indicators
Accounting7
- Akira1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Gunra1 event · 1 leak indicator
- Leaknet Blog1 event · 1 leak indicator
- PEAR1 event · 1 leak indicator
- Vect1 event · 0 leak indicators
Motor Vehicle Manufacturing7
- Qilin3 events · 2 leak indicators
- Beast1 event · 0 leak indicators
- Everest1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Morpheus1 event · 0 leak indicators
Law Practice6
- PEAR2 events · 2 leak indicators
- LeakedData1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- Termite1 event · 0 leak indicators
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 55
- 51-200 employees 51
- 201-500 employees 26
- 2-10 employees 21
- 1,001-5,000 employees 16
- 501-1,000 employees 13
Notable actor profile updates
Active actor records only.
New ransom note observed
Payload
2026-02-23 UTC
Adding ransom note sample
New actor infrastructure / contact channel
CipherForce
2026-02-23 UTC
Adding more Telegram channels and TOX ID
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Gunra | Food and Beverage Manufacturing | Spain | Data leak | 2026-03-01 |
| Anubis | Paint, Coating, and Adhesive Manufacturing | Netherlands | Claim only | 2026-03-01 |
| INC Ransom | Construction | Israel | Data leak | 2026-03-01 |
| Blackout | Telecommunications | Philippines | Claim only | 2026-03-01 |
| INC Ransom | Transportation, Logistics, Supply Chain and Storage | Germany | Data leak | 2026-03-01 |
| Qilin | Government Administration | United States | Claim only | 2026-03-01 |
| INC Ransom | Construction | United States | Data leak | 2026-03-01 |
| INC Ransom | Education Administration Programs | United States | Data leak | 2026-03-01 |
| Gentlemen | Glass, Ceramics and Concrete Manufacturing | United States | Claim only | 2026-03-01 |
| Gentlemen | Hospitals and Health Care | Canada | Claim only | 2026-03-01 |
| Gentlemen | Mining | India | Claim only | 2026-03-01 |
| Gentlemen | IT Services and IT Consulting | Spain | Claim only | 2026-03-01 |
News and research context
Recent articles from the same time window.
Related actor: Termite
During a 12-day Deception.Pro operation, researchers observed a high-severity, multi-stage intrusion chain that began with malvertising and a ClickFix-style fake CAPTCHA. The lure…
TriZetto Provider Solutions (“TPS”) recently experienced a cybersecurity incident that affected certain protected health information of certain of its healthcare provider customer…
The Post-RAMP Era: Allegations, Fragmentation, and the Rebuilding of the Ransomware Underground
2026-02-26
The January 2026 seizure of RAMP disrupted a major ransomware coordination hub, but it did not dismantle the ecosystem behind it. Instead, it destabilized trust and accelerated fr…
Crypto Ransomware: 2026 Crypto Crime Report
2026-02-26
Ransomware payments stagnated despite record attacks claimed. Total on-chain ransomware payments fell by approximately 8% to $820 million in 2025, even as claimed attacks rose 50%…
230,000 Australian driver licences exposed in ransomware attack on vehicle finance firm | CarExpert
2026-02-25
Related actor: FulcrumSec
Approximately 229,226 Australian driver licences have reportedly been exposed by hackers who breached security at YouX, a popular software platform used by automakers and dealers…
Related actor: Medusa
North Korean state-backed attackers are now using the Medusa ransomware and are continuing to mount extortion attacks on the U.S. healthcare sector.
North Korea has long been…
Related actor: DragonForce
A cyber attack at major chicken meat processor Hazeldenes in central Victoria has led it to shutdown its wi-fi system on site, and a shortage of chicken at pubs and butchers acros…
Computer systems at the Taipei Grand Hotel were compromised in a cybersecurity incident that happened over the Lunar New Year holiday.
Staff at the Grand Hotel discovered anoma…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.