Key Findings

• German Federal Criminal Police (BKA) identified two REvil ransomware operators responsible for over 130 attacks across Germany

• Daniil Maksimovich Shchukin (31), a Russian national operating under the alias UNKN, led the GandCrab/REvil groups from early 2019 through July 2021

• Anatoly Sergeevitsch Kravchuk (43), also Russian, served as the technical developer of REvil during the same period

• The two suspects orchestrated 25 attacks that resulted in €1.9 million in ransom payments, with total damages exceeding €35.4 million across Germany

• Shchukin is linked to earlier cybercrime activity under the alias "Ger0in" and maintains connections to cryptocurrency wallets containing over $317,000 from REvil operations

• Both suspects are believed to be currently residing in Russia

Background

REvil emerged in mid-2019 as what researchers consider a rebrand of the GandCrab ransomware operation. GandCrab had shut down on May 31, 2019, after generating over $2 billion in ransomware profits. The sudden appearance of REvil, promoted by an individual calling themselves UNKNOWN on Russian cybercrime forums, suggested organizational continuity. The new operation immediately backed itself with a $1 million escrow deposit to establish legitimacy within the cybercriminal ecosystem. REvil operated as a ransomware-as-a-service platform, recruiting affiliates to carry out attacks on their behalf in exchange for a cut of the profits.

Shchukin's Criminal Trajectory

Daniil Maksimovich Shchukin functioned as the public face and leader of the operation. From his early forum postings in 2019, he actively promoted the ransomware to potential affiliates on the XSS cybercrime forum. In a 2021 interview with security researcher Dmitry Smilyanets, Shchukin revealed he had been operating in the ransomware business since 2007. He described his rise from extreme poverty in Russia to becoming a millionaire through cybercrime, characterizing his operation with corporate language and discussing how he reinvested profits to expand and improve the enterprise. At its peak, Shchukin's organization managed approximately 60 affiliates. Investigators have connected him to earlier cybercrime activity dating back years under the alias "Ger0in," which involved botnet and malware distribution operations.

Kravchuk's Role as Developer

Anatoly Sergeevitsch Kravchuk provided the technical infrastructure that made REvil operational. Born in Makiivka, Ukraine, Kravchuk is accused of developing and maintaining the ransomware code throughout the group's active period. While Shchukin handled recruitment and promotion, Kravchuk ensured the technical systems remained functional and effective. His role as developer made him essential to the operation's continued capability to target organizations effectively.

Attack Scale and Financial Impact

Between 2019 and July 2021, Shchukin and Kravchuk orchestrated at least 130 ransomware attacks targeting German businesses, public institutions, and other organizations. Of these attacks, 25 resulted in actual ransom payments totaling €1.9 million. However, the broader economic damage from these incidents exceeded €35.4 million when accounting for downtime, recovery costs, and other expenses. The targeting strategy focused on organizations with significant revenue and active cyber insurance policies, making them more likely to pay ransoms quickly.

Notable Victims and Operations

REvil's most significant attack came in July 2021 when they compromised Kaseya, a software company used by managed service providers. This single incident cascaded across more than 1,500 downstream organizations, demonstrating the group's capability to cause widespread damage. Other notable victims included major corporations like JBS, a global meat processing company. These high-profile attacks elevated REvil's status within both the cybercriminal community and the target set of international law enforcement agencies.

Operational Shutdown and Aftermath

REvil ceased operations twice during its existence. The first shutdown occurred in July 2021, shortly after the Kaseya attack and concurrent with FBI infiltration of their systems. The FBI released a decryption key derived from their infiltration, significantly undermining the group's leverage over victims. In October 2021, the group shut down permanently after an unknown threat actor hijacked their Tor leak site and payment portal using the gang's private keys. A REvil representative identified as '0_neday' initially confirmed the compromise but later claimed the gang found no evidence of server compromise. Regardless, leadership decided to cease operations entirely.

International Law Enforcement Response

The identification and public naming of Shchukin and Kravchuk represents significant progress in attributing ransomware operations to specific individuals. Both remain at large, believed to be in Russia. Russia's Federal Security Service arrested multiple REvil members in January 2022, though notably Shchukin and Kravchuk were not among them. In October 2024, four other REvil members were sentenced in Russia for their roles in the conspiracy, marking a rare instance of Russian authorities convicting cybercriminals for their participation in ransomware operations.

Sources

• https://securityaffairs.com/190401/cyber-crime/bka-unmasks-two-revil-ransomware-operators-behind-130-german-attacks.html

• https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html

• https://teceze.com/what-is-ransomware-and-the-list-of-ransomware-attacks-in-2020