German Authorities Expose Key Figures Behind REvil Ransomware Operation
The Federal Criminal Police Office of Germany, known as the BKA (Bundeskriminalamt), has unveiled the true identities of two central figures linked to the now-defunct REvil (also referred to as Sodinokibi) ransomware-as-a-service (RaaS) operation, a notorious threat that has wreaked havoc on organizations worldwide.
In a significant move to enhance cybersecurity and bring cybercriminals to justice, authorities identified one of the key perpetrators, an individual operating under the pseudonym "UNKN." This individual was a prominent figure within the group, actively promoting the ransomware on the XSS cybercrime forum as early as June 2019. His real name is Daniil Maksimovich Shchukin, a 31-year-old national from Russia. Shchukin is known to have operated under several aliases, including Oneiilk2, Oneillk2, Oneillk22, and GandCrab.
The revelation occurred through meticulous investigative efforts by the BKA and was first reported by renowned security journalist Brian Krebs. The BKA noted that Shchukin was a leading figure in one of the most significant global ransomware groups, GandCrab/REvil, from early 2019 until at least July 2021. During this time, he collaborated with a network of criminals, employing sophisticated techniques to demand exorbitant ransom payments from victims, threatening to leak sensitive data if their financial demands were not met.
In addition, the BKA has included another critical player on its wanted list: Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian, originally from the Ukrainian city of Makiivka. Allegations indicate that Kravchuk played a vital role in the development of REvil during the same timeline, underscoring the collaborative nature of the operation.
The BKA’s investigations reveal that Shchukin and Kravchuk are implicated in 130 ransomware attacks across Germany. Of these incidents, 25 resulted in actual ransom payments totaling €1.9 million (approximately $2.19 million). Collectively, these attacks incurred staggering financial damages exceeding €35.4 million (about $40.8 million), showcasing the extensive impact of their cybercriminal activities.
REvil, also known as Water Mare and Gold Southfield, emerged as one of the most prolific ransomware groups in recent years, targeting high-profile organizations such as JBS, a major meat processing company, and Kaseya, an IT management provider. The group evolved from the earlier GandCrab ransomware and was notorious for its aggressive tactics and the scale of its operations.
Interestingly, REvil’s activities showed signs of abrupt changes. In mid-July 2021, the group mysteriously went offline, leaving many in the cybersecurity community puzzled. It would resurface two months later, only to cease operations entirely by October 2021 when its data leak site became non-functional due to a concerted law enforcement effort.
Subsequent to the shutdown of operations in 2021, Romanian authorities arrested two individuals involved in the REvil group’s affiliate network, highlighting the ongoing international push to dismantle this cybercriminal organization. In a move that raised eyebrows across the global security community, Russia’s Federal Security Service (FSB) announced in January 2022 that a number of REvil gang members had been arrested, effectively neutralizing the group’s operations. Four of those apprehended received prison sentences in October 2024, as reported by the Russian news outlet Kommersant.
Notably, Shchukin’s disappearance from cybercrime forums synchronized with the law enforcement crackdown, leading to another figure, REvil (later rebranded as 0_neday), taking the helm as the public face of the gang’s operations.
In an earlier interview with Dmitry Smilyanets from Recorded Future in March 2021, Shchukin recounted his challenging upbringing, stating, “As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.” Such comments underline the stark transformation from a life of hardship to one marked by illicit wealth.
The identification of these individuals represents a crucial step in the ongoing battle against cybercrime, reflecting the relentless efforts of law enforcement agencies worldwide to bring down sophisticated ransomware operations that threaten businesses and individuals alike.