Skip to content
The Nexus
Underground90 active groups1562 claimed victims in 30 days

Underground

Public ransomware leak-site postings, aggregated and stripped of attacker infrastructure. Tracks which groups are active, what sectors they hit, and where claimed victims are based. Useful as an early signal, not a breach confirmation.

By the numbers: the ransomware report →
This week in UndergroundWeek of 2026-07-04

Qilin defined the week, posting 50 claimed victims, up 30 from the prior week and more than any other group by a wide margin. Krybit's jump from near-zero to 25 claimed postings adds a second sharp spike, and the two entries for "the gentlemen" (23 and 20 respectively) point to sustained output from that operation as well. Total claimed postings across the leak-site ecosystem rose to 324 from 299, with 45 groups active, but the week's shape is concentration at the top rather than broad growth: the four leading groups alone account for well over a third of all claimed activity.

Business Services led sector claims with 26 postings, followed by Manufacturing at 19 and Consumer Services at 18, while Healthcare (16) and Technology (14) kept pace just behind. Geographically the week stayed anchored to the US, which was named in 43 postings, more than double any other country; Germany followed at 17, lifted in part by a claimed Deutsche Bank posting from the group calling itself "unsafe," a notable target given the sector's usual low profile on leak sites.

Beyond the top tier, smaller or newer names such as Pure Extraction And Ransom and Blackfield surfaced with multiple claimed postings apiece, spreading activity across a long tail of less-established operations. The week's overall pattern is one of intensity at the top rather than diversification: a handful of groups, led decisively by Qilin, drove the increase in total volume.

By The Nexus · refreshed weekly · Jul 4 · 14:32 UTC
384
Last 7 days
1562
Last 30 days
90
Active groups (30d)
2358
Tracked total
Sister trackerKEV. CISA Known Exploited Vulnerabilities

The vulnerabilities attackers are using right now. Where Underground shows who got hit, KEV shows what they came in through.

Open →
Weekly volume · top groupsLast 10 weeks
Active groups (30d)All groups →
Top sectors (30d)
Top countries (30d)
Recent claimed victimsShowing 25 of 2358
DRAGONFORCEConstructionUnited StatesJul 10 · 21:57 UTC

The Schuett Companies

www.schuettcares.com
QILINJul 10 · 16:51 UTC

Global Strategic Business Process Solutions

AKIRAJul 10 · 16:51 UTC

Vandalia Rental

QILINFinancial ServicesMoroccoJul 10 · 15:57 UTC

Eurodefi

www.eurodefis.com