The German Federal Criminal Police Office, known as BKA (Bundeskriminalamt), has identified two prominent figures associated with the now-defunct REvil ransomware-as-a-service (RaaS) operation. This significant development comes amid ongoing efforts to combat ransomware threats globally, drawing attention to the individuals behind the cybercriminal enterprise.
One of the individuals, identified as Daniil Maksimovich Shchukin, used the online alias UNKN and served as a spokesperson for the group. In June 2019, he began promoting the ransomware on the XSS cybercrime forum. Shchukin, a 31-year-old Russian, is also known by various online names, including Oneiilk2 and GandCrab. According to reports by independent journalist Brian Krebs, the BKA claims Shchukin played a leading role in one of the largest global ransomware collectives, operational from early 2019 until at least July 2021. The group was infamous for demanding hefty ransoms for data decryption and protection against data leaks.
Alongside Shchukin, Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian born in Makiivka, Ukraine, has been placed on the wanted list as a suspected developer of the REvil ransomware during the same timeframe. Both individuals are believed to be responsible for approximately 130 ransomware attacks in Germany, with 25 of those incidents resulting in ransom payments totaling €1.9 million (approximately $2.19 million). The collective impacts of these attacks reportedly exceeded €35.4 million ($40.8 million) in financial damages.
REvil, also known as Water Mare and Gold Southfield, targeted various high-profile companies, including JBS and Kaseya. This group evolved from the GandCrab ransomware and mysteriously went offline in July 2021, resurfacing a couple of months later. By October 2021, the group ceased operations amidst a law enforcement crackdown, which led to the inaccessibility of its data leak site. Subsequently, Romanian authorities announced the arrests of two affiliates linked to the REvil operation.
In a rare public announcement, Russia’s Federal Security Service (FSB) reported in January 2022 the arrest of several REvil operatives, effectively neutralizing the group’s activities. This follow-up led to confirmed reports that four members were sentenced to prison in late 2024, highlighting the ongoing international collaboration to dismantle cybercrime networks.
Shchukin’s abrupt disappearance from cybercrime forums coincided with the law enforcement operation, allowing another user known as REvil (later 0_neday) to take over as the group’s face during its operations. In a March 2021 interview, Shchukin remarked on his beginnings in the ransomware business, claiming to have started in 2007 with a network of around 60 affiliates. He shared a stark contrast between his difficult upbringing and his current wealth, a narrative that sheds light on the motivations driving such cybercriminal activities.
The BKA’s uncovering of these identities is critical for understanding the tactics and techniques utilized in these attacks. Potential MITRE ATT&CK adversary tactics relevant to this case include initial access, persistence, and privilege escalation—techniques often leveraged in ransomware operations to gain and maintain control over targeted systems. As such, business owners should remain vigilant, reinforcing their defenses against ransomware threats that could exploit similar vulnerabilities.