In recent years, the BSI as well as national and international partners have increasingly observed so-called Cybercrime-as-a-Service (CCaaS). This involves outsourcing elements of a cyberattack to specialised attacker groups, similar to outsourcing services. CCaaS allows an attacker to obtain almost every step of an attack as a service from other cybercriminals or at least the malware required for it. The selling of malware is referred to as Malware-as-a-Service (MaaS). MaaS specialising in ransomware are called Ransomware-as-a-Service (RaaS).

Attackers that sell access to networks are called access brokers and the service Access-as-a-Service (AaaS). Emotet and QakBot are two well-known malware families that were probably used by access brokers. In the fourth quarter of 2023, the BSI increasingly observed the use of PikaBot and DarkGate in initial infections. Compromises with these malware families often result in ransomware incidents.

Where possible, cybercriminal attackers are categorised into groups based on the malware used and their approach. The following table highlights some attacker groups that the BSI believes pose an increased threat to German organisations. The BSI is also monitoring other attacker groups that are probably also active against German organisations.

Active crime groups that attack targets in Germany:

Groupname	Exceptional characteristics	Description
Alpha Spider (a.k.a. White Dev 101)	Responsible for restricted1 RaaS Alphv (a.k.a. Alphv-ng, BlackCat, Noberus) Malpedia-Link BlackCat Leak site known Extortion is repeatedly accompanied by phone calls inviting negotiations.	RaaS Alphv probably active since November 2021. No sectors excluded from attacks. Attacks against organisations from countries of the Commonwealth of Independent States excluded. After publicly confirmed law enforcement measures on 19 December 2023, it remains to be seen whether the RaaS will continue to exist in the longer term.
Bitwise Spider (a.k.a. Gold Mystic, White Janus, White Dev 66)	Responsible for restricted1 RaaS LockBit (a.k.a. LockBit 2.0, LockBit 3.0, ABCD) Malpedia-Link LockBit Includes variants LockBit RED, LockBit BLACK, LockBit GREEN, LockBit Linux/ESXi Leak site known Due to a probably high number of affiliates, the procedures sometimes vary greatly.	RaaS LockBit probably active since September 2019. Attacks against organisations in the healthcare, academic and non-profit sectors excluded - deviations are to be expected! Attacks against organisations from countries of the Commonwealth of Independent States excluded. Operators of the RaaS offer a cybercriminal bug bounty programme.
Brain Spider (a.k.a. White Ea)	Responsible for private2 RaaS 8Base (a.k.a. EightBase) Malpedia-Link 8Base Leak site known	RaaS Medusa probably active since the end of 2022. No known exclusion of sectors or countries from attacks.
Frozen Spider (a.k.a. White Kali)	Responsible for restricted1 RaaS Medusa Ransomware Medusa is not to be confused with similar named ransomware MedusaLocker Leak site known	RaaS Medusa wahrscheinlich seit Ende 2022 aktiv. Kein Ausschluss von Sektoren oder Ländern von Angriffen bekannt.
Graceful Spider (a.k.a. ATK103, Chimborazo, DEV-0950, Dudear, FIN11, G0092, Gold Tahoe, Hive0065, Lace Tempest, SectorJ04, Spandex Tempest, TA505, White Austaras)	Responsible for GetAndGo Loader (a.k.a. Get2, FRIENDSPEAK) Malpedia-Link Get2 SDBBot Malpedia-Link SDBbot GraceWire (a.k.a. FlawedGrace) Malpedia-Link FlawedGrace Clop (a.k.a. Ciop, CIop, Cl0p, Ci0p, CI0p) Malpedia-Link Clop Leak site known Attackers repeatedly abused zero-day vulnerabilities in exposed systems such as file-sharing servers. Extortion often without the use of ransomware only with stolen data	Attacker group probably active since 2016. No known exclusion of sectors or countries from attacks. Increased use of Clop ransomware since the end of 2019. Since 2022, increased blackmail with data leaks only.
Honey Spider	Responsible for MaaS Shindig (a.k.a. Bumblebee) Malpedia-Link BumbleBee Shindig is used by various access brokers. An attack with Shindig is often followed by the theft of data and the use of ransomware	MaaS Shindig probably active since March 2022. No known exclusion of sectors or countries from attacks.
Lunar Spider (a.k.a. Gold Swathmore, White Khione)	Responsible for MaaS BokBot (a.k.a. IcedID) Malpedia-Link IcedID BokBot is used by various access brokers. An attack with BokBot is often followed by the theft of data and the use of ransomware	MaaS BokBot probably active since April 2017. No known exclusion of sectors or countries from attacks. BokBot is based on banking trojan Neverquest (a.k.a. Vawtrak) Malpedia-Link Vawtrak
Mallard Spider (a.k.a. Gold Lagoon, White Horoja)	Responsible for MaaS QakBot (a.k.a. Oakboat, PinkSlip, Pinkslipbot, Qbot, Quakbot) Malpedia-Link Qakbot QakBot is used by various access brokers. An attack with QakBot is often followed by the theft of data and the use of ransomware.	Attacker group probably active since mid-2009. No known exclusion of sectors or countries from attacks. On 29 August 2023, the FBI announced a multinational operation against QakBot with the participation of German law enforcement agencies, among others. On 11 December 2023, activity with QakBot was detected again.
Mummy Spider (a.k.a. Gold Crestwood, TA542, White Taranis)	Responsible for MaaS Emotet (a.k.a. Geodo, Heodo) Malpedia-Link Emotet Emotet is used by various access brokers. An attack with Emotet is often followed by the theft of data and the use of ransomware	MaaS Emotet probably active since 2014. No known exclusion of sectors or countries from attacks. On 27 January 2021, Europol announced a multinational operation against Emotet with the participation of German security authorities, among others. On 14 November 2021, activity with Emotet was observed for the first time since the takedown in early 2021.
Punk Spider (a.k.a. White Lilith)	Responsible for private2 RaaS Akira Malpedia-Link Akira Leak site known	RaaS Akira probably active since March 2023. Attacks against government organisations excluded - deviations are to be expected! No known exclusion of countries from attacks. Akira is probably based on the source code of the inactive RaaS Conti leaked in February 2022.
Recess Spider (a.k.a. White Peryton)	Responsible for private2 RaaS Play (a.k.a. PlayCrypt) Malpedia-Link PLAY Leak site known	RaaS Play probably active since June 2022. No known exclusion of sectors or countries from attacks. Extortion negotiations are partly conducted by email.
Scattered Spider (a.k.a. 0ktapus, Dev0671, Dev0875, Dev0971, Muddled Libra, Octo Tempest, Oktapus, Roasted 0ktapus, Scatter Swine, Scattered Swine, StarFraud, Storm-0875, UNC3944, White Dev 146)	Responsible for MaaS BlackLotus Malpedia-Link BlackLotus Affiliate of RaaS Alphv (See Alpha Spider) Repeated use of SIM swapping and social engineering against helpdesk employees to take over valid accounts Attacker interacts specifically with cloud resources of affected organisations Registers own identity providers, for example, in order to be able to log in as any valid account	Affiliate group probably active since March 2022. Exclusion of sectors and countries from attacks in accordance with used RaaS. In April 2023, the use of Alphv ransomware by Scattered Spider was observed for the first time.
White Dev 115 (a.k.a. Blackbasta, UNC3973)	Responsible for restricted1 RaaS BlackBasta (a.k.a. no_name_software) Malpedia-Link Black Basta Leak site known	RaaS BlackBasta probably active since April 2022. No known exclusion of sectors or countries from attacks. Kein Ausschluss von Sektoren oder Ländern von Angriffen bekannt. A decryption tool for BlackBasta published by SRLabs on 27 December 2023 is no longer effective. In November 2023, samples of the ransomware became known that were no longer vulnerable to the encryption weakness used here.
White Fenrir	Responsible for private2 MaaS DarkGate (a.k.a. Meh, MehCrypter) Malpedia-Link DarkGate DarkGate is used by various access brokers. An attack with DarkGate is often followed by the theft of data and the use of ransomware	MaaS DarkGate probably active since 2017, first advertised on underground forums in May 2023. No known exclusion of sectors from attacks. Attacks against organisations from Russia and Moldova excluded. At the end of 2023, the operating group switched to a private2 operating mode. Previously, the MaaS was offered to up to 30 affiliates.
White Veles (a.k.a. DEV-0504, Velvet Tempest)	Responsible for ExMatter (a.k.a. Sender2) Malpedia-Link ExMatter Affiliate of RaaS Alphv (see Alpha Spider)	Affiliate group probably active since August 2021. Exclusion of sectors and countries from attacks in accordance with used RaaS.

Footnotes:

¹ Restricted MaaSs are MaaSs that openly recruit new affiliates and, for example, require affiliates to go through an application process before they are granted access to the service.

² Private MaaSs are MaaSs that do not openly recruit new affiliates. The service is available to a limited group of affiliates and new affiliates tend to be added by invitation.

---

Leak victim statistics:

Since 2021, ransomware attacks have usually been accompanied by a data leak. Extortion with data leaks is also the digital form of hush money extortion. The combined extortion with data encryption through ransomware and data publication through data leaks is known as double extortion. The BSI's leak victim statistics provide information about the latter, i.e. the victims of hush money extortion. To this end, the BSI monitors so-called leak sites on which attackers publish the names and stolen data of victims of their ransomware attacks if they do not give in to cyber extortion.

These leak pages can therefore be used to record presumed victims who have been threatened with the publication of their data. In this respect, the leak victim statistics are not statistics on ransomware attacks, but on victims of hush money extortion. This is why we also refer to presumed victims, as being named on a leak page under the control of an attacker does not necessarily mean that an attack actually took place. In some cases, attackers mention names for the sole purpose of blackmail without an actual attack having taken place.

The monitoring of leak pages only covers some of the ransomware victims. This means that, generally, only those organisations that refuse to pay a ransom or hush money are named and published on leak pages. Not all ransomware attackers use a leak page either. A large number of ransomware victims therefore remain unidentified. Consequently, this data collection does not provide any information on how many of the actual victims decide to pay a ransom or hush money. Moreover, the time of publication does not provide any information about exactly when the ransomware attack took place, which may have been a long time before. On top of that, the categorisation of presumed victims by country is only an approximation, as it is usually based on the location of the presumed victim's main office. This means that the attacked network segment may have been located in other parts of the world, especially in the case of globally active companies.