German Authorities Unmask REvil Ransomware Leaders Behind 130 Attacks
Germany’s Federal Criminal Police Office (BKA) has successfully identified two principal figures associated with the notorious REvil ransomware group, responsible for numerous cyberattacks worldwide. The individuals, previously known only by their online aliases, have been unmasked as Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk.
Daniil Maksimovich Shchukin, a 31-year-old Russian national, operated under the pseudonym UNKN and was a prominent representative of REvil. He actively promoted the ransomware on cybercrime forums such as XSS starting in June 2019. Shchukin also used other online monikers, including Oneiilk2, Oneillk2, Oneillk22, and GandCrab. His involvement with REvil dates back to early 2019, during which he played a pivotal role in orchestrating ransomware attacks and demanding substantial ransoms in exchange for decrypting victims’ data.
Anatoly Sergeevitsch Kravchuk, a 43-year-old born in Makiivka, Ukraine, is alleged to have been the developer behind the REvil ransomware during the same period. Both Shchukin and Kravchuk are suspected of executing 130 ransomware attacks across Germany. Of these incidents, 25 resulted in ransom payments totaling €1.9 million ($2.19 million), with the overall financial damages exceeding €35.4 million ($40.8 million).
REvil, also known as Sodinokibi, was among the most prolific ransomware groups, targeting high-profile companies like JBS and Kaseya. The group emerged as an evolution of the GandCrab ransomware and mysteriously went offline in mid-July 2021, only to resurface two months later. By October 2021, REvil ceased operations, and its data leak site became inaccessible following a coordinated law enforcement operation. Subsequently, Romanian authorities arrested two individuals affiliated with the REvil ransomware family.
In a rare move, Russia’s Federal Security Service (FSB) announced in January 2022 the arrest of several members belonging to the REvil gang, effectively neutralizing its operations. By October 2024, four of these members were sentenced to several years in prison, as reported by Russian news outlet Kommersant.
The disappearance of UNKN from cybercrime forums coincided with these law enforcement actions, leading another user, REvil (later renamed to 0_neday), to become the public face of the group’s operations. In a March 2021 interview with Recorded Future’s Dmitry Smilyanets, UNKN revealed his involvement in the ransomware business since 2007 and mentioned that the group had up to 60 affiliates at one point. Reflecting on his past, he stated, As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.
The identification and pursuit of Shchukin and Kravchuk underscore the ongoing efforts by international law enforcement agencies to dismantle cybercriminal networks and hold perpetrators accountable for their actions.
