Active crime groups in Germany
06.02.2024
Financially motivated attackers target the assets of those affected in a variety of ways. From fraud and theft to extortion, the BSI observes new attack campaigns on a daily basis. According to the BSI, ransomware and data leaks currently pose the greatest cybercriminal threat to the state, economy and society.
In recent years, the BSI as well as national and international partners have increasingly observed so-called Cybercrime-as-a-Service (CCaaS). This involves outsourcing elements of a cyberattack to specialised attacker groups, similar to outsourcing services. CCaaS allows an attacker to obtain almost every step of an attack as a service from other cybercriminals or at least the malware required for it. The selling of malware is referred to as Malware-as-a-Service (MaaS). MaaS specialising in ransomware are called Ransomware-as-a-Service (RaaS).
Attackers that sell access to networks are called access brokers and the service Access-as-a-Service (AaaS). Emotet and QakBot are two well-known malware families that were probably used by access brokers. In the fourth quarter of 2023, the BSI increasingly observed the use of PikaBot and DarkGate in initial infections. Compromises with these malware families often result in ransomware incidents.
Where possible, cybercriminal attackers are categorised into groups based on the malware used and their approach. The following table highlights some attacker groups that the BSI believes pose an increased threat to German organisations. The BSI is also monitoring other attacker groups that are probably also active against German organisations.
Groupname | Exceptional characteristics | Description |
---|---|---|
Alpha Spider (a.k.a. White Dev 101) |
|
|
Bitwise Spider (a.k.a. Gold Mystic, White Janus, White Dev 66) |
|
|
Brain Spider (a.k.a. White Ea) |
|
|
Frozen Spider (a.k.a. White Kali) |
|
|
Graceful Spider (a.k.a. ATK103, Chimborazo, DEV-0950, Dudear, FIN11, G0092, Gold Tahoe, Hive0065, Lace Tempest, SectorJ04, Spandex Tempest, TA505, White Austaras) |
|
|
Honey Spider |
|
|
Lunar Spider (a.k.a. Gold Swathmore, White Khione) |
|
|
Mallard Spider (a.k.a. Gold Lagoon, White Horoja) |
|
|
Mummy Spider (a.k.a. Gold Crestwood, TA542, White Taranis) |
|
|
Punk Spider (a.k.a. White Lilith) |
|
|
Recess Spider (a.k.a. White Peryton) |
|
|
Scattered Spider (a.k.a. 0ktapus, Dev0671, Dev0875, Dev0971, Muddled Libra, Octo Tempest, Oktapus, Roasted 0ktapus, Scatter Swine, Scattered Swine, StarFraud, Storm-0875, UNC3944, White Dev 146) |
|
|
White Dev 115 (a.k.a. Blackbasta, UNC3973) |
|
|
White Fenrir |
|
|
White Veles (a.k.a. DEV-0504, Velvet Tempest) |
|
|
Footnotes:
1 Restricted MaaSs are MaaSs that openly recruit new affiliates and, for example, require affiliates to go through an application process before they are granted access to the service.
2 Private MaaSs are MaaSs that do not openly recruit new affiliates. The service is available to a limited group of affiliates and new affiliates tend to be added by invitation.
Leak victim statistics:
Since 2021, ransomware attacks have usually been accompanied by a data leak. Extortion with data leaks is also the digital form of hush money extortion. The combined extortion with data encryption through ransomware and data publication through data leaks is known as double extortion. The BSI's leak victim statistics provide information about the latter, i.e. the victims of hush money extortion. To this end, the BSI monitors so-called leak sites on which attackers publish the names and stolen data of victims of their ransomware attacks if they do not give in to cyber extortion.
These leak pages can therefore be used to record presumed victims who have been threatened with the publication of their data. In this respect, the leak victim statistics are not statistics on ransomware attacks, but on victims of hush money extortion. This is why we also refer to presumed victims, as being named on a leak page under the control of an attacker does not necessarily mean that an attack actually took place. In some cases, attackers mention names for the sole purpose of blackmail without an actual attack having taken place.
The monitoring of leak pages only covers some of the ransomware victims. This means that, generally, only those organisations that refuse to pay a ransom or hush money are named and published on leak pages. Not all ransomware attackers use a leak page either. A large number of ransomware victims therefore remain unidentified. Consequently, this data collection does not provide any information on how many of the actual victims decide to pay a ransom or hush money. Moreover, the time of publication does not provide any information about exactly when the ransomware attack took place, which may have been a long time before. On top of that, the categorisation of presumed victims by country is only an approximation, as it is usually based on the location of the presumed victim's main office. This means that the attacked network segment may have been located in other parts of the world, especially in the case of globally active companies.