Entrar
BKA unmasks two REvil Ransomware operators behind 130+ German attacks
German police BKA identified two key REvil ransomware members, linking them to over 130 attacks in Germany.
Germany’s Federal Criminal Police (BKA) has identified two key figures behind the REvil ransomware group, linking them to more than 130 attacks in the country. The first suspect is Daniil Maksimovich Shchukin (31), a Russian national known online as UNKN, who promoted ransomware on cybercrime forums.
“Daniil Maksimovich Shchukin is wanted internationally on suspicion of numerous organized and commercial ransomware extortions targeting businesses, public institutions, and other organizations.” reads the BKA’s Announcement. “From at least the beginning of 2019 until at least July 2021, he and others acted as the leader of one of the world’s largest ransomware groups, known as GandCrab/REvil.”
Between early 2019 and July 2021, Shchukin promoted the ransomware on the popular XSS cybercrime forums.
“An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.” reported the popular cybersecurity investigator Brian Krebs. “Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.”
Krebs remarked that Shchukin’s name appeared in a 2023 U.S. case tied to crypto funds from REvil, including a wallet with over $317,000.
On May 31, 2019, the GandCrab group shut down after earning over $2 billion from ransomware attacks and openly bragged about its success. Around the same time, REvil appeared, led by a figure known as UNKNOWN, who promoted the group on a Russian cybercrime forum and backed it with a $1 million escrow deposit.
Experts see REvil as a rebrand of GandCrab, continuing the same model. UNKNOWN described how he rose from poverty to wealth through cybercrime and reinvested profits to expand and improve the operation like a business.
REvil grew into a powerful ransomware group that targeted large organizations with high revenues and cyber insurance. In July 2021, it attacked Kaseya, impacting over 1,500 organizations. The FBI had already infiltrated REvil’s systems and later released a free decryption key, weakening the group.
In October 2021, the REvil ransomware gang shut down its operation once again after a threat actor had hijacked their Tor leak site and payment portal. The news of the hack was shared by the REvil representative ‘0_neday’ on the XSS hacking forum. He initially confirmed that someone has compromised their server, but later denied it.
The news of the hack was first reported by Dmitry Smilyanets from Recorded Future.
0_neday added that someone brought up the REvil hidden services using their private keys. He also said that the gang did not find signs of compromise to their servers; anyway, they have decided to shut down the operation.
Authorities link Shchukin to the operation and believe he now lives in Russia. Investigators also connect him to earlier cybercrime activity under the alias “Ger0in,” tied to botnets and malware distribution.
German police also added Anatoly Sergeevitsch Kravchuk, a 43-year-old Russian, to the wanted list, accusing him of developing REvil during the same period.
“Anatoly Sergeevich Kravchuk is wanted internationally on suspicion of numerous organized and commercial ransomware extortions targeting businesses, public institutions, and other organizations.” states BKA. “From at least the beginning of 2019 until at least July 2021, he and others acted as the head of one of the world’s largest ransomware groups, known as GandCrab/REvil.”
In October 2024, four former members of the REvil ransomware group were sentenced in Russia for hacking and money laundering, marking a rare case of Russian gang members being convicted in the country.
The four men are Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov. They were convicted of illegal payment handling, with Puzyrevsky and Khansvyarov also found guilty of malware use and distribution.
They were found guilty of illegal payment handling, while Puzyrevsky and Khansvyarov were also convicted of using and distributing malware.
“On Friday, October 25, the St. Petersburg Garrison Military Court announced the verdict against Artem Zayets, Aleksey Malozemov, Daniil Puzyrevsky and Ruslan Khansvyarov. The court found them guilty of illegal circulation of means of payment (Part 2 of Article 187 of the Criminal Code of the Russian Federation).” reported Russian news outlet Kommersant. “Puzyrevsky and Khansvyarov were also found guilty of using and distributing malicious programs (Part 2 of Article 273 of the Criminal Code of the Russian Federation), a Kommersant-SPb correspondent reports from the courtroom.”
Zayets and Malozemov received 4.5 and 5 years, while Khansvyarov and Puzyrevsky were sentenced to 5.5 and 6 years in a general regime penal colony.
The four men were identified as part of an investigation on the REvil ransomware group, prompted by a U.S. request linking the group’s leader to cyberattacks on foreign tech firms. The authorities initially identified 14 suspects who were detained, with eight brought to trial and four more – Andrey Bessonov, Mikhail Golovachuk, Roman Muromsky, and Dmitry Korotayev – facing separate charges of illegal computer access. The cases have been sent to the Russian Prosecutor General’s Office for consolidation, and all defendants have been held since early 2022.
On May 2024, the Ukrainian national, Yaroslav Vasinskyi (24), aka Rabotnik, was sentenced to more than 13 years in prison and must pay $16 million in restitution for conducting numerous ransomware attacks and extorting victims.
The man is a member of the REvil ransomware gang and was sentenced for his role in carrying out more than 2,500 ransomware attacks and demanding over $700 million in ransom payments.
In November 2021, the US Department of Justice charged Vasinskyi, REvil ransomware affiliate, for orchestrating the ransomware attacks on Kaseya MSP platform that took place on July 4, 2021.
Vasinskyi (aka Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) was arrested on October 8, 2021, while he was trying to enter Poland. Vasinskyi was extradited to the U.S. in March 2022.
Vasinskyi is a REvil ransomware affiliate since at least March 1st, 2019.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
