What happened
Germany’s Federal Criminal Police Office (BKA) has identified two alleged key figures behind the defunct REvil ransomware operation and tied them to 130 ransomware attacks in Germany. One of the suspects, identified as Daniil Maksimovich Shchukin, allegedly acted as a representative of the group and had previously used the aliases UNKN, Oneiilk2, Oneillk2, Oneillk22, and GandCrab. The second suspect, Anatoly Sergeevitsch Kravchuk, is accused of acting as a developer for REvil. According to the BKA, 25 of the 130 cases resulted in ransom payments totaling €1.9 million, while the attacks caused overall financial damage of more than €35.4 million. The law enforcement action adds to a longer international effort targeting the REvil ransomware ecosystem after the group’s operations were disrupted in 2021.
Who is affected
The direct impact falls on German organizations hit in the 130 attacks attributed to the two alleged REvil figures. The BKA said 25 of those incidents led to ransom payments, while the total financial damage across the cases exceeded €35.4 million.
Why CISOs should care
This matters because the case puts numbers around the financial impact of a major ransomware operation and shows that law enforcement is still working to identify and attribute alleged core members years after the group’s most visible activity. It also reinforces how ransomware groups can keep causing downstream consequences long after their public infrastructure disappears.
3 practical actions
- Treat affiliate-driven ransomware as durable risk: Keep planning for ransomware ecosystems that can continue causing harm through affiliates and reused infrastructure even after the main brand appears to shut down.
- Quantify ransomware impact beyond ransom paid: Measure total operational and financial damage separately from ransom payments, since the reported losses in Germany far exceeded the amount paid to attackers.
- Use attribution developments to update threat models: Refresh threat tracking and response planning when law enforcement identifies alleged operators, aliases, and roles inside major ransomware groups.
For more news about major extortion groups and ransomware operations, click Ransomware to read more.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.