Weekly intelligence Trend-first

Weekly ransomware & data leak landscape

A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.

Window: 2026-04-29 → 2026-05-05 UTC
Choose a report date
Previous week Next week
Observed events
157
Public claims in the selected week
Data leak indicators
85
54.1% of observed events
Active actors
36
Distinct groups with observed activity
Torrent-linked events
0
Events intersecting with torrent intelligence

What changed this week?

Qilin generated the highest visible claim volume this week, representing 20.4% of observed events.
54.1% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
Construction was the most represented sector in this window with 12 observed events.
7 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
3 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.

Coverage snapshot

As of 2026-05-05 UTC.
Leak sites observed this week
36
Leak sites online near report date
3
Threat actor profiles updated this week
5
Countries represented this week
38
Sectors represented this week
68

Top active actors

By observed claim volume
Qilin
32 events · 13 leak indicators
Gentlemen
20 events · 0 leak indicators
INC Ransom
9 events · 9 leak indicators
LeakedData
8 events · 4 leak indicators
SAFEPAY
8 events · 8 leak indicators
Aur0ra
7 events · 7 leak indicators
Everest
7 events · 1 leak indicator
Krybit
5 events · 0 leak indicators

Emerging or resurfacing actors

No matching activity in prior 30 days
  • Aur0ra 7 events
  • Sinobi 4 events
  • CMD Organization 3 events
  • Kill Security 1 event
  • MS13-089 1 event
  • RADAR 1 event
  • SecP0 1 event

Country mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States73
  • Qilin21 events · 7 leak indicators
  • INC Ransom6 events · 6 leak indicators
  • Aur0ra5 events · 5 leak indicators
  • Everest5 events · 0 leak indicators
  • Payouts King4 events · 3 leak indicators
  • ShinyHunters4 events · 1 leak indicator
  • PEAR3 events · 3 leak indicators
  • Akira2 events · 2 leak indicators
Canada11
  • Qilin3 events · 0 leak indicators
  • Gentlemen2 events · 0 leak indicators
  • Chaos1 event · 1 leak indicator
  • CMD Organization1 event · 1 leak indicator
  • Everest1 event · 0 leak indicators
  • INC Ransom1 event · 1 leak indicator
  • Leaknet Blog1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Italy7
  • Gentlemen2 events · 0 leak indicators
  • Qilin2 events · 1 leak indicator
  • Everest1 event · 1 leak indicator
  • RALord1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Germany4
  • SAFEPAY2 events · 2 leak indicators
  • Krybit1 event · 0 leak indicators
  • M3rx1 event · 0 leak indicators
Japan4
  • Gentlemen2 events · 0 leak indicators
  • Kill Security1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
Australia3
  • Aur0ra1 event · 1 leak indicator
  • Payload1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
China3
  • BlackWater2 events · 0 leak indicators
  • Sinobi1 event · 1 leak indicator
France3
  • Aur0ra1 event · 1 leak indicator
  • BlackNevas1 event · 0 leak indicators
  • Space Bears1 event · 1 leak indicator

Sector mix

Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction12
  • Qilin4 events · 1 leak indicator
  • CMD Organization2 events · 2 leak indicators
  • INC Ransom2 events · 2 leak indicators
  • LockBit 5.01 event · 1 leak indicator
  • PEAR1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator
  • SECUROTROP1 event · 1 leak indicator
Real Estate8
  • Qilin3 events · 1 leak indicator
  • Aur0ra1 event · 1 leak indicator
  • Gentlemen1 event · 0 leak indicators
  • INC Ransom1 event · 1 leak indicator
  • Payouts King1 event · 1 leak indicator
  • ShinyHunters1 event · 1 leak indicator
Financial Services6
  • Everest2 events · 0 leak indicators
  • ShinyHunters2 events · 1 leak indicator
  • DragonForce1 event · 1 leak indicator
  • Gentlemen1 event · 0 leak indicators
Hospitality5
  • Aur0ra1 event · 1 leak indicator
  • Gentlemen1 event · 0 leak indicators
  • Lamashtu1 event · 0 leak indicators
  • PEAR1 event · 1 leak indicator
  • RALord1 event · 1 leak indicator
IT Services and IT Consulting5
  • Everest1 event · 0 leak indicators
  • Krybit1 event · 0 leak indicators
  • LockBit 5.01 event · 1 leak indicator
  • M3rx1 event · 0 leak indicators
  • Sinobi1 event · 1 leak indicator
Law Practice5
  • Qilin2 events · 0 leak indicators
  • Aur0ra1 event · 1 leak indicator
  • Everest1 event · 0 leak indicators
  • World Leaks1 event · 1 leak indicator
Manufacturing5
  • Gentlemen3 events · 0 leak indicators
  • Chaos1 event · 1 leak indicator
  • Qilin1 event · 1 leak indicator
Food and Beverage Services4
  • Gentlemen2 events · 0 leak indicators
  • Qilin1 event · 1 leak indicator
  • SAFEPAY1 event · 1 leak indicator

Organization size bands

Share of weekly events by employee-size group across the last 12 reporting windows.
  • 51-200 employees 36
  • 11-50 employees 33
  • 201-500 employees 20
  • 1,001-5,000 employees 14
  • 2-10 employees 12
  • 10,001+ employees 10

Notable actor profile updates

Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.

Recent signal samples

Selected weekly signals.
Actor Sector Country Leak proof Seen
Qilin Food and Beverage Services United States Data leak 2026-05-05
Sinobi Software Development China Data leak 2026-05-05
Sinobi Civil Engineering United States Data leak 2026-05-05
Sinobi IT Services and IT Consulting United States Data leak 2026-05-05
Sinobi Software Development India Data leak 2026-05-05
Qilin Farming Oman Data leak 2026-05-05
Krybit IT Services and IT Consulting India Claim only 2026-05-05
Akira Investment Management United States Data leak 2026-05-05
Lamashtu Retail Thailand Claim only 2026-05-05
INC Ransom Medical Devices United States Data leak 2026-05-05
Qilin Retail Groceries Spain Data leak 2026-05-05
MS13-089 Individual and Family Services United States Claim only 2026-05-05

News and research context

Recent articles from the same time window.
Related actor: Sorry
On April 29, 2026, CVE-2026-41940 was disclosed as a critical pre-authentication bypass affecting cPanel and WHM. The issue impacts the login flow and may allow a remote, unauthen…
May 1, 2026 – This release updates the December 19, 2025 media notice from Mitchell County (the “County”) regarding its October ransomware attack. Mitchell County has completed it…
Related actor: Sorry
A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. This week, an emergency update…
Related actor: Rhysida
Airbus-owned Stelia North America has been hacked in an apparent ransomware attack. In a statement, Steila confirmed the attack, saying: “Upon detection, we immediately activat…

Notes

  • Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
  • Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
  • Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
  • The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.

Method

  • The page uses a fixed seven-day window based on the selected date.
  • Only public-facing actor and event records are included.
  • Counts and breakdowns are designed for trend review, not incident confirmation.