Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2026-03-11 → 2026-03-17 UTC
Choose a report date
Previous week Next week
Observed events
184
Public claims in the selected week
Data leak indicators
126
68.5% of observed events
Active actors
44
Distinct groups with observed activity
Torrent-linked events
8
Events intersecting with torrent intelligence

What changed this week?

Qilin generated the highest visible claim volume this week, representing 16.8% of observed events.
68.5% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
Government Administration was the most represented sector in this window with 10 observed events.
2 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
8 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.

Coverage snapshot

As of 2026-03-17 UTC.
Leak sites observed this week
44
Leak sites online near report date
0
Threat actor profiles updated this week
10
Countries represented this week
41
Sectors represented this week
76

Top active actors

By observed claim volume
Qilin
31 events · 17 leak indicators
LockBit 5.0
17 events · 17 leak indicators
Akira
15 events · 8 leak indicators
Eraleignews
11 events · 11 leak indicators
Gentlemen
10 events · 0 leak indicators
CipherForce
9 events · 6 leak indicators
NightSpire
8 events · 6 leak indicators
Coinbase Cartel
7 events · 3 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days
  • Exitium 2 events
  • Loki 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States78
  • Qilin18 events · 9 leak indicators
  • Akira10 events · 6 leak indicators
  • INC Ransom5 events · 3 leak indicators
  • Medusa5 events · 4 leak indicators
  • PLAY5 events · 5 leak indicators
  • CipherForce3 events · 2 leak indicators
  • Payouts King3 events · 3 leak indicators
  • Sinobi3 events · 3 leak indicators
Canada7
  • SAFEPAY2 events · 2 leak indicators
  • Akira1 event · 0 leak indicators
  • Coinbase Cartel1 event · 1 leak indicator
  • Embargo1 event · 1 leak indicator
  • Eraleignews1 event · 1 leak indicator
  • Lynx1 event · 1 leak indicator
France6
  • Akira1 event · 0 leak indicators
  • Coinbase Cartel1 event · 1 leak indicator
  • Gentlemen1 event · 0 leak indicators
  • Kairos1 event · 1 leak indicator
  • NightSpire1 event · 1 leak indicator
  • RansomHouse1 event · 1 leak indicator
Australia4
  • DragonForce1 event · 1 leak indicator
  • Gentlemen1 event · 0 leak indicators
  • Gunra1 event · 1 leak indicator
  • Qilin1 event · 0 leak indicators
United Kingdom4
  • AiLock1 event · 1 leak indicator
  • Beast1 event · 0 leak indicators
  • Everest1 event · 0 leak indicators
  • Qilin1 event · 1 leak indicator
Chile3
  • CipherForce1 event · 1 leak indicator
  • Eraleignews1 event · 1 leak indicator
  • Gentlemen1 event · 0 leak indicators
Colombia3
  • Gentlemen2 events · 0 leak indicators
  • BlackShrantac1 event · 0 leak indicators
Germany3
  • Akira1 event · 1 leak indicator
  • LockBit 5.01 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Government Administration10
  • Eraleignews4 events · 4 leak indicators
  • Medusa2 events · 1 leak indicator
  • Exitium1 event · 1 leak indicator
  • LockBit 5.01 event · 1 leak indicator
  • Payload1 event · 1 leak indicator
  • XP951 event · 0 leak indicators
Construction8
  • Qilin3 events · 2 leak indicators
  • Sinobi2 events · 2 leak indicators
  • Lynx1 event · 1 leak indicator
  • PLAY1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing6
  • Qilin3 events · 0 leak indicators
  • Akira1 event · 1 leak indicator
  • Gentlemen1 event · 0 leak indicators
  • Gunra1 event · 1 leak indicator
IT Services and IT Consulting6
  • CipherForce2 events · 1 leak indicator
  • Gentlemen2 events · 0 leak indicators
  • AiLock1 event · 0 leak indicators
  • Eraleignews1 event · 1 leak indicator
Hospitals and Health Care5
  • Eraleignews1 event · 1 leak indicator
  • FulcrumSec1 event · 1 leak indicator
  • Medusa1 event · 1 leak indicator
  • Payload1 event · 0 leak indicators
  • Qilin1 event · 0 leak indicators
Machinery Manufacturing5
  • Qilin2 events · 1 leak indicator
  • Akira1 event · 0 leak indicators
  • DragonForce1 event · 1 leak indicator
  • World Leaks1 event · 1 leak indicator
Retail5
  • Akira2 events · 1 leak indicator
  • Qilin2 events · 2 leak indicators
  • Eraleignews1 event · 1 leak indicator
Accounting4
  • Qilin2 events · 0 leak indicators
  • Akira1 event · 0 leak indicators
  • BravoX1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.
  • 51-200 employees 38
  • 11-50 employees 35
  • 201-500 employees 28
  • 1,001-5,000 employees 13
  • 501-1,000 employees 13
  • 2-10 employees 12

Notable actor profile updates

Active actor records only.
New ransom note observed
Tengu
2026-03-15 UTC
Adding ransom note
New actor infrastructure / contact channel
Everest
2026-03-16 UTC
Adding TOX ID
New vuln / TTP intelligence
Warlock
2026-03-16 UTC
Adding additional TTPs from Trend Micro's blog

Recent signal samples

Selected weekly signals.
Actor Sector Country Leak proof Seen
FulcrumSec Hospitals and Health Care United States Data leak 2026-03-17
Kill Security Plastics Manufacturing Israel Data leak 2026-03-17
Kill Security Veterinary Services Brazil Data leak 2026-03-17
SAFEPAY Paper and Forest Product Manufacturing Portugal Data leak 2026-03-17
SAFEPAY Manufacturing Canada Data leak 2026-03-17
SAFEPAY Transportation/Trucking/Railroad Canada Data leak 2026-03-17
SAFEPAY Pharmaceutical Manufacturing Germany Data leak 2026-03-17
Sinobi Construction United States Data leak 2026-03-17
SAFEPAY Construction United States Data leak 2026-03-17
Sinobi Aviation and Aerospace Component Manufacturing United States Data leak 2026-03-17
Sinobi Construction United States Data leak 2026-03-17
LockBit 5.0 Law Practice Germany Data leak 2026-03-17

News and research context

Recent articles from the same time window.
Intuitive statement on cybersecurity incident 2026-03-16
Intuitive has determined that information from certain internal IT business applications was accessed by an unauthorized third party as the result of a targeted cybersecurity phis…
A Slopoly start to AI-enhanced ransomware attacks | IBM 2026-03-13
Related actor: INTERLOCK
Researchers from IBM X-Force have uncovered a new AI-generated malware, dubbed “Slopoly.” During a ransomware engagement, X-Force discovered a PowerShell script deployed on an…
226 Ransomware Attacks Reported in Japan in 2025 2026-03-13
Japanese police confirmed 226 cases of damage from ransomware attacks in 2025, the second-highest annual total, data from the National Police Agency showed Thursday. The number…

Notes

  • Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
  • Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
  • Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
  • The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

  • The page uses a fixed seven-day window based on the selected date.
  • Only public-facing actor and event records are included.
  • Counts and breakdowns are designed for trend review, not incident confirmation.