Full Report
Germany's Federal Criminal Police Office (aka BKA or the Bundeskriminalamt) has unmasked the real identity of the main threat actors associated with the now-defunct REvil (aka Sodinokibi) ransomware-as-a-service (RaaS) operation. The threat actor, who went by the alias UNKN, functioned as a representative of the group, advertising the ransomware in June 2019 on the XSS cybercrime forum. He
Analysis Summary
# Threat Actor: REvil (aka Sodinokibi) Leadership
## Attribution & Identity
* **Primary Identity:** **Daniil Maksimovich Shchukin** (Russian national, 31 years old).
* **Known Aliases:** UNKN (Unknown), Oneiilk2, Oneillk2, Oneillk22, and GandCrab.
* **Key Associate:** **Anatoly Sergeevitsch Kravchuk** (Russian national, 43 years old). Identified as the lead developer for REvil.
* **Associated Groups:**
* **GandCrab** (Predecessor/Historical group)
* **Gold Southfield** (Industry designation)
* **Water Mare** (Industry designation)
* **0_neday** (Successor forum representative)
## Activity Summary
According to the German Federal Criminal Police Office (BKA), Shchukin and Kravchuk operated as the leadership of REvil from early 2019 until at least July 2021. They managed the Ransomware-as-a-Service (RaaS) platform, advertising services on the XSS cybercrime forum. Shchukin served as the primary public representative and negotiator, while Kravchuk focused on the technical development of the ransomware code.
## Tactics, Techniques & Procedures
* **Ransomware-as-a-Service (RaaS):** Operating a platform where affiliates carry out attacks using the group's malware in exchange for a percentage of the ransom.
* **Double Extortion:** Encrypting victim data and threatening to leak sensitive information on a dedicated "leak site" if demands are not met.
* **Forum Recruitment:** Using cybercrime forums (specifically XSS) to recruit affiliates and advertise software updates.
* **Supply Chain Attacks:** Leveraging vulnerabilities in managed service providers (MSPs) or software vendors to hit thousands of downstream victims simultaneously.
## Targeting
* **Sectors:** Agriculture (e.g., JBS), Information Technology (e.g., Kaseya), Manufacturing, and Public Services.
* **Geography:** Global reach, with a specific focus in this report on **Germany** (130 identified attacks).
* **Victims:**
* JBS (Global meat processing)
* Kaseya (IT management software)
* Apple (via supplier hacking)
* 130 specific targets within Germany (25 of which paid ransoms).
## Tools & Infrastructure
* **Malware families used:**
* REvil / Sodinokibi
* GandCrab (Earlier iteration)
* **Infrastructure:**
* **XSS[.]is:** Cybercrime forum used for communication and recruitment.
* **Tor-based Leak Sites:** "Happy Blog" (used for data shaming and extortion).
* **C2:** Historically utilized complex infrastructure to manage affiliate payloads.
## Implications
The unmasking of Shchukin and Kravchuk represents a significant milestone in international law enforcement cooperation against top-tier RaaS operators. By identifying the "brain trust" (leadership and development), authorities disrupt the continuity of the e-crime ecosystem. However, the actor’s claims of being active since 2007 suggest a deep-seated institutional knowledge of cybercrime that often persists even after individual groups are neutralized, as members often "rebrand" or join other syndicates.
## Mitigations
* **Offline Backups:** Maintain immutable, offline backups of critical data to negate the leverage of encryption.
* **Vulnerability Management:** Prioritize patching of public-facing assets and software frequently targeted in supply chain attacks (e.g., VSA servers, VPNs).
* **Endpoint Detection and Response (EDR):** Deploy EDR tools to identify the behavioral patterns of ransomware execution before encryption occurs.
* **Multi-Factor Authentication (MFA):** Enforce strict MFA across all remote access points to prevent affiliate entry via stolen credentials.