BKA Identifies Two REvil Operators Behind 130+ German Ransomware Attacks
What Happened – Germany’s Federal Criminal Police (BKA) publicly named two Russian nationals – Daniil Maksimovich Shchukin (aka “UNKN”) and Anatoly Sergeevitsch Kravchuk – as senior members of the REvil ransomware group. The investigation links them to more than 130 ransomware incidents across German businesses and public institutions between 2019 and July 2021, resulting in roughly €2 million extorted and €35 million in total economic damage.
Why It Matters for TPRM –
- REvil’s leadership is now exposed, but the group remains active under new aliases, keeping the ransomware threat high for third‑party vendors.
- The attacks spanned multiple sectors, showing that any supplier with inadequate cyber hygiene can become a ransomware target.
- Confirmed financial loss and operational disruption illustrate the downstream risk to your own organization when a vendor is compromised.
Who Is Affected – Manufacturing, Healthcare, Public‑sector agencies, Financial services, Technology firms, and any midsize‑to‑large enterprises that relied on vulnerable on‑premise or cloud services in Germany.
Recommended Actions –
- Review all contracts with German‑based suppliers for ransomware‑specific clauses and incident‑response obligations.
- Verify that vendors maintain up‑to‑date backups, offline storage, and tested restore procedures.
- Conduct threat‑intel monitoring for REvil‑related IOCs (malware hashes, ransom notes, C2 domains).
- Ensure cyber‑insurance policies cover ransomware extortion and business interruption.
Technical Notes – The REvil campaign leveraged typical ransomware delivery methods: phishing emails, exploit‑kits, and remote‑desktop abuse. Victims’ files were encrypted (AES‑256) and exfiltrated, with ransom notes demanding payment in cryptocurrency. No specific CVE was disclosed, but the group historically exploited unpatched Windows SMB and RDP services. Source: Security Affairs