BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks
كشف المستور: السلطات الألمانية حددات زعماء Ransomware REvil اللي ورا 130 هجمة
Unmasked: German Authorities Identify REvil Ransomware Leaders Behind 130 Attacks
TL;DR
The German Federal Criminal Police Office (BKA) has officially identified the leaders of the defunct REvil ransomware-as-a-service (RaaS) operation. Russian nationals Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are accused of directing at least 130 attacks in Germany, causing over €35.4 million in total damages.
The veil of anonymity has been lifted from one of the most prolific cybercrime syndicates in history. Germany’s Federal Criminal Police Office, the Bundeskriminalamt (BKA), recently announced the identification of the primary threat actors behind REvil (also known as Sodinokibi), the ransomware-as-a-service operation that terrorized global enterprises for years.
The Face of "UNKN" Identified
For years, the public face of REvil was a representative known only by the alias UNKN (or Unknown). This individual acted as the group's liaison, famously advertising the ransomware on the Russian-language cybercrime forum XSS in June 2019.
The BKA has now identified UNKN as Daniil Maksimovich Shchukin, a 31-year-old Russian national. According to law enforcement, Shchukin also operated under the monikers Oneiilk2, Oneillk2, Oneillk22, and GandCrab.
In a 2021 interview, Shchukin claimed a "rags-to-riches" backstory, stating he grew up in extreme poverty, scavenged for food, and walked 10 kilometers to school. He boasted, "Now I am a millionaire," claiming to have been in the ransomware business since 2007.
The Developer: Anatoliy Sergeevitsch Kravchuk
Alongside Shchukin, the BKA has added Anatoly Sergeevitsch Kravchuk to its wanted list. Kravchuk is a 43-year-old Russian national born in Makiivka, Ukraine. Investigators allege that Kravchuk served as the primary developer for the REvil ransomware between early 2019 and July 2021.
The BKA states that Shchukin, in cooperation with Kravchuk and other associates, led REvil during its most aggressive period of growth following its evolution from the earlier GandCrab ransomware.
Impact on Germany: Millions in Damages
The investigation specifically links Shchukin and Kravchuk to 130 ransomware attacks across Germany. The data provided by the BKA paints a stark picture of the financial toll:
- Total Financial Damages: Exceeding €35.4 million ($40.8 million).
- Ransom Payments: 25 cases resulted in payments totaling €1.9 million ($2.19 million).
- Operating Model: The group utilized "double extortion," demanding payments for both data decryption and the promise not to leak stolen sensitive information.
The Rise and Fall of REvil
REvil was responsible for high-profile strikes against global giants such as JBS and Kaseya. The group’s operations were highly organized, at one point managing up to 60 affiliates who carried out attacks using the group's proprietary malware.
The syndicate’s downfall began in late 2021:
- July 2021: The group mysteriously went offline.
- October 2021: Law enforcement operations seized the group’s servers, rendering their data leak site inaccessible.
- January 2022: In a rare display of international cooperation, Russia’s Federal Security Service (FSB) claimed to have neutralized the gang and arrested several members.
- October 2024: Four members were reportedly sentenced to prison terms in Russia.
Current Status
While some members have been apprehended, the identification of Shchukin and Kravchuk represents a significant milestone in the BKA's ongoing efforts to hold the leadership of the syndicate accountable. The BKA notes that these individuals acted as leaders of one of the largest global ransomware groups during a three-year span of heightened activity.
The source does not specify the current whereabouts of Shchukin and Kravchuk, though they have been officially placed on the wanted list.
Source: https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html
