BKA Uncovers REvil Leaders Tied to 130 Ransomware Attacks Across Germany
What Happened — Germany’s Federal Criminal Police Office (BKA) has publicly identified the real identities of two senior figures behind the now‑defunct REvil (Sodinokibi) ransomware‑as‑a‑service operation. The individuals were linked to more than 130 ransomware incidents targeting German organizations since 2019.
Why It Matters for TPRM —
- REvil’s RaaS model shows how criminal “service providers” can amplify risk for third‑party vendors and their customers.
- The arrests demonstrate law‑enforcement’s growing ability to trace ransomware operators, but also highlight that legacy REvil affiliates may still be active.
- Organizations must reassess ransomware exposure, especially where legacy contracts or legacy software may still be vulnerable.
Who Is Affected — Enterprises across Germany in finance, healthcare, manufacturing, public sector, and retail that were victims of the 130 attacks, as well as any third‑party vendors that supplied software or services to those victims.
Recommended Actions —
- Review all vendor contracts for ransomware‑related clauses and insurance coverage.
- Verify that affected customers have robust, offline backup and recovery procedures.
- Conduct threat‑intel monitoring for REvil‑related indicators of compromise (IOCs) in your environment.
- Re‑evaluate endpoint detection and response (EDR) controls against known REvil tactics.
Technical Notes — REvil operated as a ransomware‑as‑a‑service platform, leveraging phishing, exploit kits, and double‑extortion tactics to encrypt data and exfiltrate sensitive files. The group advertised services on the XSS cybercrime forum in 2019. No new CVEs were disclosed, but the campaign reused known Windows vulnerabilities and credential‑theft tools. Source: The Hacker News