After identifying suspicious activity on a contained, non-critical part of its IT network, the Company has determined that a criminal third-party accessed some basic customer info…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2026-03-09 → 2026-03-15 UTC
Choose a report date
Observed events
186
Public claims in the selected week
Data leak indicators
122
65.6% of observed events
Active actors
41
Distinct groups with observed activity
Torrent-linked events
13
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 18.8% of observed events.
•
65.6% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 7 observed events.
•
3 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
13 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2026-03-15 UTC.
Leak sites observed this week
41
Leak sites online near report date
1
Threat actor profiles updated this week
7
Countries represented this week
41
Sectors represented this week
78
Top active actors
By observed claim volumeQilin
35 events · 19 leak indicators
Akira
19 events · 13 leak indicators
LockBit 5.0
14 events · 14 leak indicators
Gentlemen
13 events · 0 leak indicators
INC Ransom
10 events · 9 leak indicators
CipherForce
9 events · 6 leak indicators
Eraleignews
9 events · 9 leak indicators
NightSpire
8 events · 7 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Embargo 4 events
- Exitium 2 events
- Loki 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States79
- Qilin21 events · 12 leak indicators
- Akira13 events · 8 leak indicators
- INC Ransom7 events · 6 leak indicators
- Payouts King4 events · 3 leak indicators
- CipherForce3 events · 2 leak indicators
- NightSpire3 events · 2 leak indicators
- PLAY3 events · 3 leak indicators
- Anubis2 events · 0 leak indicators
France8
- Gentlemen3 events · 0 leak indicators
- Coinbase Cartel1 event · 1 leak indicator
- Gunra1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- RansomHouse1 event · 1 leak indicator
- SecP01 event · 0 leak indicators
United Kingdom8
- AiLock1 event · 1 leak indicator
- Akira1 event · 1 leak indicator
- Anubis1 event · 0 leak indicators
- Beast1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- Everest1 event · 0 leak indicators
- Gentlemen1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
Canada4
- Akira1 event · 0 leak indicators
- Coinbase Cartel1 event · 1 leak indicator
- Embargo1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
Spain4
- Akira1 event · 1 leak indicator
- Eraleignews1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Australia3
- DragonForce1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
Poland3
- Qilin2 events · 2 leak indicators
- Lynx1 event · 1 leak indicator
Singapore3
- Qilin2 events · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction7
- Qilin3 events · 2 leak indicators
- Anubis1 event · 0 leak indicators
- Gunra1 event · 1 leak indicator
- Lynx1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Government Administration7
- Eraleignews3 events · 3 leak indicators
- Exitium1 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- Payload1 event · 1 leak indicator
- XP951 event · 0 leak indicators
Hospitals and Health Care7
- Gentlemen2 events · 0 leak indicators
- Crypto241 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- Payload1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
IT Services and IT Consulting7
- CipherForce2 events · 1 leak indicator
- Gentlemen2 events · 0 leak indicators
- Crypto241 event · 1 leak indicator
- Eraleignews1 event · 1 leak indicator
- Tengu1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing6
- Qilin3 events · 0 leak indicators
- Akira2 events · 2 leak indicators
- Payouts King1 event · 1 leak indicator
Machinery Manufacturing5
- Qilin3 events · 2 leak indicators
- INC Ransom1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Retail5
- Akira2 events · 1 leak indicator
- Eraleignews1 event · 1 leak indicator
- Payouts King1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Financial Services4
- Qilin2 events · 0 leak indicators
- CipherForce1 event · 1 leak indicator
- Loki1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 42
- 11-50 employees 41
- 201-500 employees 25
- 501-1,000 employees 13
- 1,001-5,000 employees 10
- 2-10 employees 7
Notable actor profile updates
Active actor records only.
New ransom note observed
Tengu
2026-03-15 UTC
Adding ransom note
New actor infrastructure / contact channel
Tengu
2026-03-15 UTC
Adding additional TOX ID
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Payload | Hospitals and Health Care | Bahrain | Claim only | 2026-03-15 |
| PLAY | Airlines and Aviation | United States | Data leak | 2026-03-15 |
| Qilin | Consumer Goods | Poland | Data leak | 2026-03-15 |
| Everest | Information Services | United Kingdom | Claim only | 2026-03-15 |
| Embargo | Automotive | Canada | Data leak | 2026-03-14 |
| Lynx | Industrial Machinery Manufacturing | Canada | Data leak | 2026-03-14 |
| Qilin | Seafood Product Manufacturing | Poland | Data leak | 2026-03-14 |
| Beast | Education | United States | Claim only | 2026-03-14 |
| Beast | Security and Investigations | United Kingdom | Claim only | 2026-03-14 |
| Qilin | Restaurants | United States | Data leak | 2026-03-14 |
| INC Ransom | Medical Equipment Manufacturing | United States | Claim only | 2026-03-13 |
| Anubis | Information Technology and Services | United States | Claim only | 2026-03-13 |
News and research context
Recent articles from the same time window.
Related actor: INC Ransom
Threat actors are people, too, and like everyone else, make mistakes. These mistakes can reveal insights into the threat actor, or even expose access to their infrastructure.
I…
Related actor: INTERLOCK
Researchers from IBM X-Force have uncovered a new AI-generated malware, dubbed “Slopoly.”
During a ransomware engagement, X-Force discovered a PowerShell script deployed on an…
Japanese police confirmed 226 cases of damage from ransomware attacks in 2025, the second-highest annual total, data from the National Police Agency showed Thursday.
The number…
Related actor: Handala
Handala Hack, also tracked by Check Point Research as Void Manticore, is an Iranian threat actor that is known for multiple destructive wiping attacks combined with “hack and leak…
Related actor: ShinyHunters
Canadian business process outsourcing giant Telus Digital has confirmed it suffered a security incident after threat actors claimed to have stolen nearly 1 petabyte of data from t…
Related actor: AlphVM
The U.S. Department of Justice charged another former DigitalMint employee for his involvement in an insider scheme in which ransomware negotiators secretly partnered with the Bla…
ELECQ, maker of smart electric vehicle (EV) chargers, is warning customers that their personal details may have been stolen in a ransomware attack that encrypted and copied user d…
Current report filing, Stryker Corp.
2026-03-12
Related actor: Handala
On March 11, 2026, Stryker Corporation (“we” or the “Company”) identified a cybersecurity incident affecting certain information technology systems of the Company that has resulte…
The Community College of Beaver County is under a cyberattack, with unknown bad actors encrypting all college data and demanding ransom payments to lift it.
"We came to campus…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.