Search

BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

CISOs to Watch in California County and City Level Government

California’s county and city governments operate some of the...
Read more
Founders, Analysts & Industry Voices

CISOs to Watch in California State Government

California state government depends on cybersecurity leaders who can...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California Community College

California’s community college districts serve large and varied populations...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California Universities

California’s university sector depends on cybersecurity leaders who can...
Read more
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in California’s High-Tech Manufacturing Industry

California’s high-tech manufacturing sector sits at the intersection of...
Read more

Share

What happened

Germany’s Federal Criminal Police Office (BKA) has identified two alleged key figures behind the defunct REvil ransomware operation and tied them to 130 ransomware attacks in Germany. One of the suspects, identified as Daniil Maksimovich Shchukin, allegedly acted as a representative of the group and had previously used the aliases UNKN, Oneiilk2, Oneillk2, Oneillk22, and GandCrab. The second suspect, Anatoly Sergeevitsch Kravchuk, is accused of acting as a developer for REvil. According to the BKA, 25 of the 130 cases resulted in ransom payments totaling €1.9 million, while the attacks caused overall financial damage of more than €35.4 million. The law enforcement action adds to a longer international effort targeting the REvil ransomware ecosystem after the group’s operations were disrupted in 2021. 

Who is affected

The direct impact falls on German organizations hit in the 130 attacks attributed to the two alleged REvil figures. The BKA said 25 of those incidents led to ransom payments, while the total financial damage across the cases exceeded €35.4 million. 

Why CISOs should care

This matters because the case puts numbers around the financial impact of a major ransomware operation and shows that law enforcement is still working to identify and attribute alleged core members years after the group’s most visible activity. It also reinforces how ransomware groups can keep causing downstream consequences long after their public infrastructure disappears. 

3 practical actions

  1. Treat affiliate-driven ransomware as durable risk: Keep planning for ransomware ecosystems that can continue causing harm through affiliates and reused infrastructure even after the main brand appears to shut down. 
  2. Quantify ransomware impact beyond ransom paid: Measure total operational and financial damage separately from ransom payments, since the reported losses in Germany far exceeded the amount paid to attackers. 
  3. Use attribution developments to update threat models: Refresh threat tracking and response planning when law enforcement identifies alleged operators, aliases, and roles inside major ransomware groups. 

For more news about major extortion groups and ransomware operations, click Ransomware to read more.

Previous article
NDPC Investigates Remita, Sterling Bank Over Alleged Data Breach
Next article
Qilin and Warlock Ransomware Use Vulnerable Drivers to Disable 300+ EDR Tools
Founders, Analysts & Industry Voices

CISOs to Watch in California County and City Level Government

California’s county and city governments operate some of the...
Founders, Analysts & Industry Voices

CISOs to Watch in California State Government

California state government depends on cybersecurity leaders who can...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.