Active crime groups in Germany

Explanations and tabular overview
Status: 08.04.2025

Financially motivated attackers target the assets of those affected in a variety of ways. From fraud and theft to extortion, the BSI observes new attack campaigns on a daily basis. According to the BSI, ransomware and data leaks currently pose the greatest cybercriminal threat to the state, economy and society.

In recent years, the BSI as well as national and international partners have increasingly observed so-called Cybercrime-as-a-Service (CCaaS). This involves outsourcing elements of a cyberattack to specialised attacker groups, similar to outsourcing services. CCaaS allows an attacker to obtain almost every step of an attack as a service from other cybercriminals or at least the malware required for it. The selling of malware is referred to as Malware-as-a-Service (MaaS). MaaS specialising in ransomware are called Ransomware-as-a-Service (RaaS).

Attackers that sell access to networks are called access brokers and the service Access-as-a-Service (AaaS). Emotet and QakBot were two well-known malware families that were probably used by access brokers. Access brokers aim to gain long-term access to a network. To do this, they usually load additional malware via so-called loaders.

Where possible, cybercriminal attackers are categorised into groups based on the malware used and their approach. The following table highlights some attacker groups that the BSI believes pose an increased threat to German organisations. The BSI is also monitoring other attacker groups that are probably also active against German organisations.

Active crime groups that attack targets in Germany:
Groupname	Exceptional characteristics	Description
Bitwise Spider (aka Gold Mystic, White Janus, White Dev 66) - Activity decreased substantially -	Responsible for restricted¹RaaS LockBit (aka LockBit 2.0, LockBit 3.0, LockBit 4.0, ABCD) Includes variants LockBit RED, LockBit BLACK, LockBit GREEN, LockBit Linux/ESXi Leak site known	RaaS LockBit probably active since September 2019. No sectors excluded from attacks in general; public instituions are excluded as long as they do not have revenue - deviations are to be expected! Attacks against organisations from countries of the Commonwealth of Independent States excluded. On 19 and 20 February 2024, law enforcement measures were announced as part of Operation Cronos against the RaaS LockBit. A new leak page became known on 24 February 2024. On 7 May 2024, further details from Operation Cronos and sanctions against at least one member of Bitwise Spider were published in the United Kingdom, the United States of America and Australia. In December 2024 operators published version 4.0 of the RaaS LockBit.
Brain Spider (aka White Ea) - Activity decreased substantially -	Responsible for private² RaaS 8Base (aka EightBase) Leak site known	RaaS 8Base probably active since the end of 2022. No known exclusion of sectors or countries from attacks On 10 February 2025, law enforcement measures were announced as part of Operation Phobos Aetor targeting among other things the leak site of 8Base.
Frozen Spider (aka White Kali)	Responsible for restricted¹ RaaS Medusa Ransomware Medusa is not to be confused with similar named ransomware MedusaLocker Leak site known	RaaS Medusa probably active since the end of 2022. No known exclusion of sectors or countries from attacks.
Graceful Spider (aka ATK103, Chimborazo, DEV-0950, Dudear, FIN11, G0092, Gold Tahoe, Hive0065, Lace Tempest, SectorJ04, Spandex Tempest, TA505, White Austaras)	Responsible for GetAndGo Loader (aka Get2, FRIENDSPEAK) SDBBot GraceWire (aka FlawedGrace) Clop (aka Ciop, CIop, Cl0p, Ci0p, CI0p) Leak site known Attackers repeatedly abused zero-day vulnerabilities in exposed systems such as file-sharing servers. Extortion often without the use of ransomware only with stolen data	Attacker group probably active since 2016. No known exclusion of sectors or countries from attacks. From the end of 2019 until 2022 regularly use of Clop ransomware. Since 2022, regularly blackmail with data leaks only.
Honey Spider	Responsible for MaaS Shindig (aka Bumblebee) Shindig is used by various access brokers. An attack with Shindig is often followed by the theft of data and the use of ransomware	MaaS Shindig probably active since March 2022. No known exclusion of sectors or countries from attacks. Shindig was a target of the law enforcement measures from Operation Endgame. BSI received reports of new activity multiple months after Operation Endgame.
Lunar Spider (aka Gold Swathmore, White Khione)	Responsible for MaaS BokBot (aka IcedID) Responsible for Lotus (aka Latrodectus, BlackWidow, IceNova) Lotus is used by various access brokers. An attack with Lotus is often followed by the theft of data and the use of ransomware	MaaS BokBot was probably active since April 2017 until the end of 2023. No known exclusion of sectors or countries from attacks. BokBot is based on banking trojan Neverquest (aka Vawtrak) BokBot was a target of the law enforcement measures from Operation Endgame. The loader Lotus is probably actively used since October 2023.
Ocular Spider (aka White Enbarr, Spoiled Scorpius)	Responsible for restricted¹RaaS RansomHub Leak site known	RaaS RansomHub probably active since February 2024. Operators are supposed to have bought the sourcecode of RaaS Cyclops. The ESXi version of RansomHub shows technical similarities to the ESXi version of Cyclops (aka Knight) and Babuk. Affiliates of RaaS Alphv probably switched to RansomHub.
Punk Spider (aka White Lilith)	Responsible for private² RaaS Akira Leak site known	RaaS Akira probably active since March 2023. Attacks against government organisations excluded - deviations are to be expected! No known exclusion of countries from attacks. Akira is probably based on the source code of the inactive RaaS Conti leaked in February 2022.
Recess Spider (aka White Peryton)	Responsible for private² RaaS Play (aka PlayCrypt) Leak site known	RaaS Play probably active since June 2022. No known exclusion of sectors or countries from attacks. Extortion negotiations are partly conducted by email.
Scattered Spider (aka 0ktapus, Dev0671, Dev0875, Dev0971, Muddled Libra, Octo Tempest, Oktapus, Roasted 0ktapus, Scatter Swine, Scattered Swine, StarFraud, Storm-0875, UNC3944, White Dev 146)	Responsible for MaaS BlackLotus Was affiliate of RaaS Alphv Rather probable affiliate of RaaS Qilin (see White Kore) Probable affiliate of RaaS RansomHub (see White Enbarr) Repeated use of SIM swapping and social engineering against helpdesk employees to take over valid accounts Attacker interacts specifically with cloud resources of affected organisations Registers own identity providers, for example, in order to be able to log in as any valid account	Affiliate group probably active since March 2022. Exclusion of sectors and countries from attacks in accordance with used RaaS. Since April 2023 Scattered Spider used the ransomware Alphv. First indication of possible switch to RaaS Qilin in April 2024. Since mid 2024 probable affiliate of RaaS RansomHub. In 2024 multiple suspects were arrested in connection to Scattered Spider.
Traveling Spider (aka Gold Mansard, White Imp)	Responsible for RaaS INC Responsible for RaaS Lynx Leak sites to both RaaS known Was responsible for RaaS Nevada, RaaS Nokoyawa, RaaS Karma, RaaS Nefilim (aka Nemty X), RaaS Nemty	Attacker group probably active since August 2019. RaaS INC probably active since September 2023. RaaS Lynx probably active since August 2024.
Vice Spider (aka White Nefas, DEV-0832, Vanilla Tempest, Vice Society)	Probably responsible for Ransomware Rhysida Alternatively affiliate of private² RaaS Rhysida Reports in the fourth quarter of 2024 indicate probable use of new Ransomware InterLock	Affiliate group probably active since April 2021. Vice Spider used a variety of RaaS over the years including: DeathKitty (aka HelloKitty, Fivehands, Wacatac), Zeppelin (aka Buran), Hive, Quantum, Alphv, RedAlertLocker, LockBit Vice Spider originaly established their own presence under the branding Vice Society. RaaS Rhysida probably active since Mai 2023. Ransomware InterLock first observed in October 2024.
White Dev 115 (aka Blackbasta, UNC3973) - Activity decreased substantially -	Responsible for restricted¹ RaaS BlackBasta (aka no_name_software) Leak site known	RaaS BlackBasta probably active since April 2022. No known exclusion of sectors or countries from attacks. On 11 February 2025, internal chat messages from the operating group were leaked online. The leak site has been offline since then.
White Fenrir	Responsible for restricted¹ MaaS DarkGate (aka Meh, MehCrypter) Responsible for Crypter-as-a-Service (CaaS) DarkGateCrypter Responsible for Service DarkGate AutoIt Converter DarkGate is used by various access brokers. An attack with DarkGate is often followed by the theft of data and the use of ransomware	MaaS DarkGate probably active since 2017, first advertised on underground forums in May 2023. No known exclusion of sectors from attacks. Attacks against organisations from Russia and Moldova excluded. At the end of 2023, the operating group switched to a private² operating mode. Previously, the MaaS was offered to up to 30 affiliates. In November 2024 DarkGate was switched back to a restricted¹ operating model.
White Kore	Responsible for RaaS Qilin (aka AgendaCrypt, Agenda) Leak site known Attackers exhibit increased focus on healthcare sector	RaaS Qilin probably active since August 2022. Sample have been temporarily distributed with the file name `Agenda` therefor also known as Agenda ransomware. Probable Rebrand to MichaelKors in April 2023 has not been completed.
White Veles (aka DEV-0504, Velvet Tempest)	Responsible for ExMatter (aka Sender2)	Affiliate group probably active since August 2021. Exclusion of sectors and countries from attacks in accordance with used RaaS. Was affiliate of RaaS LockBit (see Bitwise Spider), RaaS BlackMatter, RaaS Alphv and RaaS Conti. Was affiliate of RaaS Alphv since December 2021. Currently unknown whether still active as affiliate of different RaaS.
White Yama	Responsible for RaaS HuntersInternational Leak site known	RaaS HuntersInternational probably active since October 2023. HuntersInternational is probably based on source code of RaaS Hive, which is inactive since January 2023.

Footnotes:

¹ Restricted MaaSs are MaaSs that openly recruit new affiliates and, for example, require affiliates to go through an application process before they are granted access to the service.

² Private MaaSs are MaaSs that do not openly recruit new affiliates. The service is available to a limited group of affiliates and new affiliates tend to be added by invitation.

Leak victim statistics:

Since 2021, ransomware attacks have usually been accompanied by a data leak. The combined extortion with data encryption through ransomware and data publication through data leaks is known as double extortion. The BSI monitors so-called leak sites on which attackers publish the names and stolen data of victims of their ransomware attacks if they do not give in to cyber extortion.

These leak pages can therefore be used to record presumed victims who have been threatened with the publication of their data. In this respect, the leak victim statistics are not statistics on ransomware attacks, but on victims of hush money extortion. The BSI refers to "presumed" victims, as being named on a leak page under the control of an attacker does not necessarily mean that an attack actually took place. In some cases, attackers mention names for the sole purpose of blackmail without an actual attack having taken place.

The monitoring of leak pages only covers some of the ransomware victims. This means that, generally, only those organisations that refuse to pay a ransom or hush money are named and published on leak pages. Not all ransomware attackers use a leak page either. A large number of ransomware victims therefore remain unidentified. Consequently, this data collection does not provide any information on how many of the actual victims decide to pay a ransom or hush money. Moreover, the time of publication does not provide any information about exactly when the ransomware attack took place, which may have been a long time before. On top of that, the categorisation of presumed victims by country is only an approximation, as it is usually based on the location of the presumed victim's main office. This means that the attacked network segment may have been located in other parts of the world, especially in the case of globally active companies.

The indices in the diagram measure the naming of presumed victims on leak sites. The average for the year 2021 is used as the basis.

Statistics from the second quarter 2022 to the first quarter 2025 — Source: BSI

The index for Germany was 264 points in the first quarter of 2025. This means that the number of observed presumed victims named on leak sites in the first quarter of 2025 was 2.64 times higher than the annual average for 2021. The comparative index worldwide was 316 points in the first quarter of 2025. A recurring trend can be observed at the beginning of the year. Attackers suspected to be operating out of Russia in particular reduce their activity at this time. They presumably pause operations over the Orthodox Christmas on 6 and 7 January.

The first cyberattacks involving hush money extortion and leak sites were observed in 2019. In the first quarter of 2019, the cybercriminal group calling itself Team Snatch attacked several victims. In the fourth quarter of 2019, the cybercriminal group behind the RaaS Maze began combining ransomware attacks with leaks. In 2020, this approach became widespread among various cybercriminal groups, which the BSI reported as a proliferation of cybercriminal approaches (see The state of IT security in Germany in 2022). In 2021, double extortion attacks became the norm for ransomware attacks.

The number of presumed victims observed increased significantly in 2023 compared to previous years. In 2023, almost 1.7 times the annual average for 2021 was observed both worldwide and in Germany. Globally, this means an increase of almost 50% from 2022 to 2023, or almost 30% for Germany in the same period.

The main factors behind this increase are likely to be a sustained high to very high level of activity by the most threatening actors and an increase in activity across all leak sites. The BSI also observed several leak sites that were only active for a short time or named many presumed victims through individual campaigns.

The increase in activity on a number of leak sites continued during 2024. BSI observed multiple leak sites that probably reposted data leaks of "old" cases. The substanial increase in the first quarter of 2025 was in large parts due to an attack campaign against file sharing software from the software development company Cleo in December 2024. Presumed victims from this campaign have been published from January to March 2025 on the leak sites Clop of the group Graceful Spider.

There may also be a change in payment behaviour. In general, only those presumed victims who delay or refuse to pay a ransom or hush money are recorded on leak sites. If the number of attacks does not decrease but more victims refuse to pay, this is likely to be reflected in an increase in the leak victim statistics.