Major German bank says a third party may have been hit following claims of ransomware attack
As reported by CyberNews, Deutsche Bank’s systems were allegedly breached by the Unsafe ransomware gang after the group listed the bank on its dark web leak site.
Within the listing were screenshots that included queries that can call back employee data, terminal output and commands that show exports of databases.
You’re out of free articles for this month
The allegedly stolen data in the screenshots contains employee email addresses, physical addresses, internal database records, and password hashes.
Speaking with multiple media outlets, Deutsche Bank said there is no indication that its own network was breached and that it was notified of a third-party incident impacting an external service provider in Germany.
“There is no indication that Deutsche Bank’s internal systems or networks were or are affected by the incident. There is also no evidence of unauthorised access to Deutsche Bank’s network,” the spokesperson said.
The bank also said it was working with the third-party provider on the alleged incident and was working to “minimise potential cyber risks”.
Who is Unsafe ransomware?
Unsafe ransomware group is a relatively unknown player in the cyber crime space, with mixed records of incidents.
According to ransomware.live, the threat actor first appeared in late 2022 and has launched cyber attacks sporadically since. Having been quiet for most of 2024 and all of 2025.
The group reportedly has 16 victims to date, most of which are based in the US, followed by Germany.
Ransomware.live also suggests that the group seems to recycle leaks from other threat actors rather than being behind some of its cyber incidents.
According to the group’s about page, Unsafe claims to be a penetration tester and security researcher that does not support illegal activity, a claim made by most cyber criminals.
“Hello, I’m a cyber security engineer who does penetration testing and security research. This blog shares findings from authorised tests and research meant to help people and organisations fix security problems,” the page said.
“The posts are for learning and defense. They are not meant to teach or encourage illegal activity.
“I am not a cyber criminal. My intent is to promote cyber security and help make systems safer. I test systems to help owners find and fix weaknesses.”
The threat actor also attempts to distance itself from any illegal activity, saying they are not responsible for the use of the data it posts, cannot guarantee accuracy, and does not take responsibility for damages and loss as a result.
“If you own a system that might be affected or want a professional audit, contact me, and we’ll arrange an authorised lawful test,” the threat actor said, despite the fact that the testing is not lawful or authorised.