Underground
Public ransomware leak-site postings, aggregated and stripped of attacker infrastructure. Tracks which groups are active, what sectors they hit, and where claimed victims are based. Useful as an early signal, not a breach confirmation.
By the numbers: the ransomware report →Qilin defined the week, posting 50 claimed victims, up 30 from the prior week and more than any other group by a wide margin. Krybit's jump from near-zero to 25 claimed postings adds a second sharp spike, and the two entries for "the gentlemen" (23 and 20 respectively) point to sustained output from that operation as well. Total claimed postings across the leak-site ecosystem rose to 324 from 299, with 45 groups active, but the week's shape is concentration at the top rather than broad growth: the four leading groups alone account for well over a third of all claimed activity.
Business Services led sector claims with 26 postings, followed by Manufacturing at 19 and Consumer Services at 18, while Healthcare (16) and Technology (14) kept pace just behind. Geographically the week stayed anchored to the US, which was named in 43 postings, more than double any other country; Germany followed at 17, lifted in part by a claimed Deutsche Bank posting from the group calling itself "unsafe," a notable target given the sector's usual low profile on leak sites.
Beyond the top tier, smaller or newer names such as Pure Extraction And Ransom and Blackfield surfaced with multiple claimed postings apiece, spreading activity across a long tail of less-established operations. The week's overall pattern is one of intensity at the top rather than diversification: a handful of groups, led decisively by Qilin, drove the increase in total volume.
The vulnerabilities attackers are using right now. Where Underground shows who got hit, KEV shows what they came in through.