Unsafe Ransomware allegedly targets Deutsche Bank

A ransomware group known as Unsafe Ransomware has reportedly targeted Deutsche Bank, one of Germany’s largest financial institutions, claiming to have compromised employee data during a recent cyberattack. According to the threat actors, the stolen information has been published on the dark web after the bank allegedly failed to respond to or meet their ransom demands. If the claims are accurate, the leaked data could increase the risk of phishing campaigns, identity theft, and other cybercriminal activities targeting the bank’s employees.

Despite these allegations, Deutsche Bank has strongly denied that a significant security breach occurred. The bank stated that its internal investigation found no evidence of a third-party compromise affecting its corporate network. It also emphasized that no sensitive employee information had been exposed as a result of the incident. The organization maintains that its systems remain secure and that the claims made by the ransomware group are not supported by its findings.

However, conflicting reports have emerged from cybersecurity sources monitoring ransomware activity. Information shared through a Telegram channel associated with cyber threat intelligence suggests that the attackers may have obtained and leaked a variety of employee-related records. The alleged data includes employee email addresses, password hashes, physical mailing addresses, employment status, and work history. While password hashes are encrypted rather than stored in plain text, they can still present a security risk if weak passwords are used or if attackers are able to crack them through offline attacks.

If such information has indeed been exposed, cybercriminals could use it to launch highly targeted phishing or social engineering attacks against employees. Personal and employment-related details can make fraudulent emails or messages appear more convincing, increasing the likelihood that recipients may unknowingly disclose additional sensitive information or credentials.

This is not the first time Deutsche Bank has been linked to ransomware-related incidents. In 2023, the bank was reportedly among the organizations affected by attacks involving the Clop and LockBit ransomware groups. Those incidents were connected to the widespread exploitation of vulnerabilities leading to MOVEit Cyber Attack, impacting hundreds of organizations worldwide and resulted in significant data exposure across multiple industries.

Unsafe Ransomware itself is not a new threat. The group first emerged in 2022 and operates under the Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy its ransomware in exchange for a share of the ransom payments. After reportedly scaling back or pausing its operations during 2024, the group resurfaced in December 2025 with renewed activity. Since then, it has allegedly targeted organizations across several countries, including Switzerland, France, Germany, and the United States.

At present, the claims surrounding the alleged Deutsche Bank breach remain disputed. Until independent cybersecurity investigations or official evidence confirms the extent of the incident, the ransomware group’s assertions should be treated with caution. Nevertheless, the case highlights the continuing threat posed by ransomware operators and the importance of robust cybersecurity measures, employee awareness, and timely incident response in protecting sensitive organizational data.

Join our LinkedIn group Information Security Community!

Naveen Goud
Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display