Foster City warned that it is possible the hackers obtained public information, urging anyone that has done business with the city to change personal passwords and take measures t…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2026-03-16 → 2026-03-22 UTC
Choose a report date
Observed events
190
Public claims in the selected week
Data leak indicators
125
65.8% of observed events
Active actors
31
Distinct groups with observed activity
Torrent-linked events
9
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 20.5% of observed events.
•
65.8% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 13 observed events.
•
1 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
9 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
Coverage snapshot
As of 2026-03-22 UTC.
Leak sites observed this week
31
Leak sites online near report date
0
Threat actor profiles updated this week
8
Countries represented this week
40
Sectors represented this week
82
Top active actors
By observed claim volumeQilin
39 events · 16 leak indicators
Gentlemen
21 events · 0 leak indicators
DragonForce
19 events · 19 leak indicators
Akira
17 events · 9 leak indicators
LockBit 5.0
13 events · 12 leak indicators
NightSpire
9 events · 6 leak indicators
World Leaks
8 events · 8 leak indicators
Sinobi
7 events · 7 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Nitrogen 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States84
- Qilin19 events · 8 leak indicators
- DragonForce13 events · 13 leak indicators
- Akira10 events · 4 leak indicators
- Sinobi6 events · 6 leak indicators
- World Leaks6 events · 6 leak indicators
- Medusa4 events · 3 leak indicators
- LeakedData3 events · 3 leak indicators
- NightSpire3 events · 3 leak indicators
France13
- Gentlemen3 events · 0 leak indicators
- Qilin3 events · 2 leak indicators
- Coinbase Cartel2 events · 2 leak indicators
- NightSpire2 events · 1 leak indicator
- Akira1 event · 0 leak indicators
- Kairos1 event · 1 leak indicator
- Nitrogen1 event · 1 leak indicator
Italy7
- LockBit 5.02 events · 2 leak indicators
- Qilin2 events · 1 leak indicator
- Akira1 event · 1 leak indicator
- Coinbase Cartel1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
Thailand6
- Gentlemen3 events · 0 leak indicators
- Gunra1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Canada5
- SAFEPAY2 events · 2 leak indicators
- Eraleignews1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
Colombia5
- Gentlemen3 events · 0 leak indicators
- Qilin2 events · 1 leak indicator
Czech Republic4
- Akira2 events · 1 leak indicator
- Gentlemen2 events · 0 leak indicators
Germany4
- Akira1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- LockBit 5.01 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction13
- DragonForce4 events · 4 leak indicators
- Qilin4 events · 2 leak indicators
- Sinobi2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- LockBit 5.01 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Financial Services9
- DragonForce2 events · 2 leak indicators
- Gentlemen2 events · 0 leak indicators
- Qilin2 events · 0 leak indicators
- Chaos1 event · 1 leak indicator
- ShinyHunters1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Government Administration9
- LockBit 5.03 events · 3 leak indicators
- Medusa2 events · 1 leak indicator
- World Leaks2 events · 2 leak indicators
- Eraleignews1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
Law Practice8
- LeakedData3 events · 3 leak indicators
- INC Ransom1 event · 0 leak indicators
- Kairos1 event · 1 leak indicator
- LockBit 5.01 event · 1 leak indicator
- NightSpire1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Architecture and Planning6
- DragonForce2 events · 2 leak indicators
- Qilin2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- Termite1 event · 1 leak indicator
Hospitals and Health Care6
- DragonForce1 event · 1 leak indicator
- Eraleignews1 event · 1 leak indicator
- FulcrumSec1 event · 1 leak indicator
- Gentlemen1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
- World Leaks1 event · 1 leak indicator
Machinery Manufacturing6
- Akira3 events · 2 leak indicators
- DragonForce1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing5
- Gentlemen1 event · 0 leak indicators
- Gunra1 event · 1 leak indicator
- Metaencryptor1 event · 1 leak indicator
- Payload1 event · 1 leak indicator
- Qilin1 event · 0 leak indicators
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 50
- 11-50 employees 44
- 201-500 employees 24
- 1,001-5,000 employees 17
- 501-1,000 employees 16
- 2-10 employees 14
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
Handala
2026-03-19 UTC
Adding the potentially new leak site after domains got seized by the FBI
New vuln / TTP intelligence
INTERLOCK
2026-03-19 UTC
Adding newly abused vulnerability "CVE-2026-20131"
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Qilin | Appliances, Electrical, and Electronics Manufacturing | United States | Claim only | 2026-03-22 |
| Qilin | Real Estate | United States | Data leak | 2026-03-22 |
| Qilin | Freight and Package Transportation | Canada | Claim only | 2026-03-22 |
| LeakedData | Law Practice | United States | Data leak | 2026-03-22 |
| Qilin | Transportation/Trucking/Railroad | United States | Claim only | 2026-03-22 |
| Qilin | Software Development | United States | Data leak | 2026-03-22 |
| Qilin | Movies, Videos and Sound | France | Claim only | 2026-03-22 |
| NightSpire | Alternative Medicine | United States | Data leak | 2026-03-22 |
| Gentlemen | Wellness and Fitness Services | Sweden | Claim only | 2026-03-22 |
| Gentlemen | Oil and Gas | Philippines | Claim only | 2026-03-22 |
| NightSpire | Civil Engineering | South Africa | Claim only | 2026-03-22 |
| NightSpire | Hospitality | France | Claim only | 2026-03-22 |
News and research context
Recent articles from the same time window.
Related actor: Handala
Both the hacktivist's handala-redwanted[.]to and handala-hack[.]to clearnet domains now display a seizure notice stating that the websites were seized under a seizure warrant issu…
Related actor: Gentlemen
The first Windows sample of The Gentlemen ransomware uploaded to VirusTotal on 17 July 2025, already contained The Gentlemen’s Data Leak Site (DLS) URL.
On 22 July 2025, threat a…
Navia Benefit Solutions, Inc. ("Navia") is providing notice of an event to customers and certain individuals. Although Navia is not aware of any identity theft or fraud in relatio…
Ransomware Spotlight: Agenda - TrendMicro
2026-03-19
Related actor: Qilin
Its initial activity in July 2022 was observed to deploy Go-based ransomware that offered affiliates customizable builds for encryption behavior, file targeting, and ransom note p…
Related actor: INTERLOCK
Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (F…
Related actor: Beast
In March 2026, Team Cymru detected an Open Directory on 5.78.84[.]144 hosted at AS212317. Using Team Cymru’s NetFlow-augmented Open Ports collection, we detected a list of notable…
Related actor: Leaknet Blog
The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime f…
Related actor: Payload
We reversed the Windows binary completely. Every code path, every crypto primitive, every command-line switch. The encryption uses Curve25519 key exchange paired with ChaCha20, an…
Health New Zealand is aware that MediMap, a privately owned and operated medication management platform, has taken its platform offline after identifying unauthorised activity wit…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.