REvil Ransomware Masterminds Identified: German Police Unmask Key Figures Behind Global Cybercrime

For General Readers (Journalistic Brief)

Law enforcement in Germany has made a significant stride in disrupting one of the world's most prolific ransomware operations. The Federal Criminal Police Office (BKA) has publicly named two individuals, Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk, as central figures in the REvil ransomware group. REvil, also known by the name Sodinokibi, operated as a "ransomware-as-a-service" (RaaS) model, essentially leasing its malicious software and operational infrastructure to other criminal actors who then carried out the actual attacks.

This group is specifically accused of launching around 130 ransomware attacks within Germany, causing an estimated €35.4 million (approximately $40.8 million USD) in damages. These attacks led to at least 25 victims collectively paying nearly €2 million in ransoms to recover their encrypted data. REvil gained notoriety for its extensive global reach, targeting major corporations and critical infrastructure, and for employing a "double extortion" strategy. This involved not only encrypting victim data but also threatening to publish stolen sensitive information.

Although REvil officially announced its cessation of operations in late 2021, following significant international law enforcement pressure, this recent identification of its leaders highlights the ongoing commitment to holding cybercriminals accountable. It underscores the complex, multinational nature of combating ransomware and the continuous efforts to dismantle these financially motivated criminal enterprises.

Technical Deep-Dive

1. Executive Summary

German law enforcement, through the Federal Criminal Police Office (BKA), has identified Daniil Maksimovich Shchukin (operating under an alias, referred to as UNKN) as a key recruiter and representative, and Anatoly Sergeevitsch Kravchuk as a developer within the REvil (Sodinokibi) ransomware-as-a-service (RaaS) operation. This identification stems from a law enforcement investigation and does not relate to a specific software vulnerability, therefore, no CVSS score is applicable. The REvil group is associated with approximately 130 ransomware attacks within Germany, resulting in estimated damages exceeding €35.4 million and ransom payments totaling €1.9 million from 25 victims. REvil was a highly impactful RaaS operation with global reach, responsible for numerous high-profile attacks on major corporations. The group officially ceased operations in late 2021 following coordinated international law enforcement actions.

2. Technical Vulnerability Analysis

• CVE ID and Details: Not applicable. This report focuses on the identification of threat actors and their criminal enterprise, not a specific software vulnerability with a CVE identifier.
• Root Cause (Code-Level): Not applicable. The focus is on the actors and their operational model (RaaS), not a specific programming flaw in a piece of software.
• Affected Components: Not applicable. The "attack" was the deployment of ransomware, which could target a vast array of systems. The attack surface was effectively any internet-connected system accessible by REvil affiliates.
• Attack Surface: The attack surface exploited by REvil affiliates was broad, encompassing any internet-facing service or internal network resource that could be compromised. This included, but was not limited to:
  • Publicly accessible Remote Desktop Protocol (RDP) endpoints.
  • Unpatched vulnerabilities in Virtual Private Networks (VPNs), web servers, and enterprise applications (e.g., Microsoft Exchange, Fortinet, Pulse Secure).
  • Phishing campaigns leading to credential compromise or malware delivery.
  • Compromised third-party service providers and managed service providers (MSPs).

3. Exploitation Analysis (Red-Team Focus)

• Red-Team Exploitation Steps:
  • Prerequisites: Affiliation with the REvil RaaS platform, typically achieved through recruitment by individuals like Shchukin or by establishing trust within the cybercriminal underground. This often involved vetting processes and demonstrating technical proficiency or access to target environments.
  • Access Requirements:
    • Initial Access: Affiliates required methods to gain entry into victim networks. This could involve purchasing access from initial access brokers (IABs), exploiting publicly disclosed or zero-day vulnerabilities in internet-facing infrastructure, or executing successful social engineering and phishing campaigns.
    • Privilege Escalation: Once inside, affiliates needed to escalate privileges to gain administrative control over critical systems and Active Directory (AD) domain controllers. This is a critical step for widespread deployment.
    • Lateral Movement: The ability to move across the network to identify valuable data repositories, critical servers, and to deploy the ransomware payload efficiently.
  • Exploitation Steps:
    1. Reconnaissance: Identifying target networks and valuable assets, often facilitated by the RaaS platform's intelligence or through manual reconnaissance using tools like Nmap, BloodHound, and network scanning utilities.
    2. Initial Compromise: Gaining a foothold in the network via methods listed above. This could be a single workstation, a server, or a VPN gateway.
    3. Credential Harvesting & Privilege Escalation: Utilizing tools like Mimikatz, LaZagne, or exploiting Active Directory misconfigurations (e.g., Kerberoasting, unconstrained delegation) and leveraging stolen credentials to gain higher privileges, aiming for Domain Admin.
    4. Lateral Movement: Employing tools such as PsExec, Windows Management Instrumentation (WMI), PowerShell Remoting, or exploiting SMB vulnerabilities to move between systems and establish persistence.
    5. Data Exfiltration (Double Extortion): Identifying and exfiltrating sensitive data to attacker-controlled servers or cloud storage (e.g., Mega, Rclone) before encryption. This step is crucial for the extortion aspect.
    6. Payload Deployment: Distributing the REvil ransomware executable to targeted endpoints. This was often achieved through Group Policy Objects (GPOs), scheduled tasks, or remote administration tools like PsExec.
    7. Ransomware Execution: The ransomware encrypts files, typically appending a specific extension (e.g., .revil, .locked, .ezz, .good, .bad) and leaving a ransom note (e.g., readme.txt, instructions.txt) in affected directories.
    8. Post-Exploitation Communication: Directing victims to the REvil leak site or designated communication channels for ransom payment and decryption key retrieval.
  • Payload Delivery: Typically achieved through administrative tools (PsExec, PowerShell Remoting), scheduled tasks, GPOs, or by exploiting vulnerabilities in management software and remote access tools.
• Public PoCs and Exploits: REvil itself was the exploit kit, delivered as a payload. While specific vulnerabilities exploited by affiliates varied and were often patched by vendors, the "exploit" was the ransomware payload delivered after initial access. Public Proof-of-Concepts (PoCs) for common initial access vectors such as RDP brute-forcing, phishing kits, and exploits for widely used enterprise software (e.g., Log4Shell - CVE-2021-44228, Microsoft Exchange vulnerabilities like ProxyLogon/ProxyShell) would have been relevant for affiliates to gain initial access.
• Exploitation Prerequisites:
  • Successful initial access into a target network environment.
  • Sufficient network and system privileges for lateral movement and payload deployment (often Domain Administrator or equivalent).
  • Absence or evasion of robust Endpoint Detection and Response (EDR) and antivirus solutions.
  • Presence of unpatched or misconfigured systems accessible from the internet or internally.
  • Lack of robust network segmentation and access controls.
• Automation Potential: The ransomware encryption process was highly automated once deployed. Lateral movement and data exfiltration often involved automated tools combined with manual reconnaissance and decision-making by affiliates. The RaaS infrastructure itself was designed to facilitate and automate many aspects of the operation for affiliates, including payload generation and distribution.
• Attacker Privilege Requirements: Varies significantly. Initial access brokers might require only the ability to exploit a public-facing vulnerability or use stolen credentials. Affiliates responsible for ransomware deployment typically required high-level privileges within the victim network, such as Domain Administrator, to achieve widespread encryption and persistence.
• Worst-Case Scenario: Complete compromise of data confidentiality through exfiltration, loss of data integrity via encryption, and total unavailability of critical business operations. This could lead to prolonged downtime, significant financial losses due to ransom payments and recovery efforts, severe reputational damage, and potential regulatory penalties for data breaches.

4. Vulnerability Detection (SOC/Defensive Focus)

• How to Detect if Vulnerable: Organizations are not "vulnerable" to the identification of threat actors; they are vulnerable to the attacks orchestrated by these actors. Detection focuses on identifying the presence of REvil ransomware or its precursors within the environment.

  • File System Analysis: Searching for specific REvil ransomware file hashes, ransom note filenames (e.g., readme.txt, instructions.txt, REvil_DECRYPT.txt), or the characteristic file extensions appended to encrypted files (e.g., .revil, .locked, .ezz, .good, .bad, .encrypted, .vvv, .yurt).
  • Registry and Configuration Monitoring: Detecting persistence mechanisms in registry run keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\Run), or specific configuration artifacts used by the ransomware.
  • Process Monitoring: Identifying the execution of known REvil ransomware processes, or suspicious processes associated with encryption, shadow copy deletion, or data exfiltration.

• Indicators of Compromise (IOCs):

  • File Hashes: (Note: REvil binaries were frequently updated and polymorphic. These are illustrative examples and may not be current or exhaustive.)
    • SHA256: 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b
    • MD5: f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c6
  • Network Indicators:
    • Connections to known REvil Command and Control (C2) infrastructure (domains, IPs). Threat intelligence feeds are crucial for maintaining up-to-date lists.
    • Unusual outbound traffic patterns indicative of large-scale data exfiltration to cloud storage or attacker-controlled servers.
    • Connections to Tor hidden services for ransom payment coordination or C2 communication.
  • Process Behavior Patterns:
    • Rapid and widespread file encryption across multiple directories and file types, often excluding system files.
    • Execution of vssadmin.exe delete shadows /all /quiet to eliminate Volume Shadow Copies.
    • Execution of cipher.exe /w:<drive_letter>: to overwrite free disk space, hindering forensic recovery.
    • Creation of new scheduled tasks or services for persistence (e.g., using schtasks.exe or sc.exe).
    • Disabling of security software or logging mechanisms via registry edits or command-line tools.
    • Use of PowerShell for remote execution, credential dumping, or downloading payloads.
  • Registry/Config Changes:
    • Persistence entries in Run keys, RunOnce keys, or Scheduled Tasks.
    • Modification of HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management to disable memory paging for certain operations.
  • Log Signatures:
    • Windows Event IDs related to file modifications, process creation, network connections, and registry changes.
    • Sysmon Event IDs for process creation (Event ID 1), network connections (Event ID 3), file creation/deletion (Event ID 11), registry modifications (Event ID 12, 13, 14), and WMI activity (Event ID 19, 20, 21).

• SIEM Detection Queries:

  Query 1: Detecting REvil Ransomware Execution and Post-Exploitation Activities (KQL for Azure Sentinel/Microsoft Defender)

  // Detects potential REvil ransomware execution and related post-exploitation activities
  DeviceProcessEvents
  | where FileName =~ "vssadmin.exe" and CommandLine contains "delete shadows" and CommandLine contains "/all" and CommandLine contains "/quiet"
  | union DeviceProcessEvents
  | where FileName =~ "cipher.exe" and CommandLine contains "/w:"
  | union DeviceFileEvents
  | where FileName endswith ".revil" or FileName endswith ".locked" or FileName endswith ".ezz" or FileName endswith ".good" or FileName endswith ".bad" // Add other known REvil extensions from threat intel
  | union DeviceNetworkEvents
  | where RemoteIP in ("<Known_REvil_C2_IP_1>", "<Known_REvil_C2_IP_2>") // Example C2 IPs, replace with actual threat intel from reputable feeds
  | project TimeGenerated, DeviceName, FileName, CommandLine, InitiatingProcessFileName, RemoteIP, RemotePort, FileType, FileHash
  | summarize count() by DeviceName, FileName, CommandLine, InitiatingProcessFileName, RemoteIP, RemotePort, FileType, FileHash, bin(TimeGenerated, 15m)
  | where count_ > 5 // Threshold for suspicious activity indicating potential mass encryption or C2 communication

  Query 2: Detecting Ransom Note Creation and Suspicious PowerShell/CMD Activity (SPL for Splunk)

  index=wineventlog sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:System OR sourcetype=WinEventLog:Application
  (EventCode=4663 OR EventCode=4656) AND (TargetFileName="*\\readme.txt" OR TargetFileName="*\\instructions.txt" OR TargetFileName="*\\REvil_DECRYPT.txt")
  | union (index=wineventlog sourcetype=WinEventLog:System EventCode=4688 | search "vssadmin.exe" OR "cipher.exe")
  | union (index=wineventlog sourcetype=WinEventLog:System EventCode=4688 | search "powershell.exe" OR "cmd.exe" | CommandLine="*New-Item* -Path * -Name * -Value *" | CommandLine="*IEX*" OR CommandLine="*Invoke-Expression*")
  | table _time, ComputerName, EventCode, TargetFileName, CommandLine, OriginalFileName, User, ProcessName
  | stats count by ComputerName, _time, ProcessName, CommandLine, TargetFileName
  | where count > 3 // Adjust threshold based on environment noise and criticality

• Behavioral Indicators:

  • A sudden, significant increase in file modification events across user directories and network shares, often with a specific pattern of extension changes.
  • Unusual outbound network connections to IP addresses or domains not typically accessed by the organization, especially those associated with cloud storage or known C2 infrastructure.
  • Execution of system utilities like vssadmin.exe and cipher.exe with parameters aimed at destroying recovery data (shadow copies, free space).
  • Creation of new scheduled tasks or services for persistence, often with suspicious command lines.
  • Disabling or termination of security agent processes or critical system services.
  • Rapid file encryption, often accompanied by the creation of ransom notes in multiple directories.
  • Use of PowerShell or command-line interpreters for executing malicious commands, downloading payloads from remote locations, or performing credential theft.

5. Mitigation & Remediation (Blue-Team Focus)

• Official Patch Information: Not applicable. This report pertains to threat actor identification, not a specific software vulnerability requiring a patch. Mitigation and remediation efforts focus on preventing ransomware infection and improving overall security posture against RaaS operations.
• Workarounds & Temporary Fixes:
  • Network Segmentation: Implement strict network segmentation to limit lateral movement. Isolate critical servers, domain controllers, and sensitive data repositories from user workstations and the internet. Utilize micro-segmentation where feasible.
  • Access Control Hardening: Enforce the principle of least privilege rigorously. Restrict RDP access to specific, trusted IP addresses and enforce Multi-Factor Authentication (MFA) for all remote access, privileged accounts, and critical systems. Implement strong password policies and regular credential rotation.
  • Firewall and IDS/IPS Rules: Deploy and maintain up-to-date firewall rules to block known malicious IPs and ports. Configure Intrusion Detection/Prevention Systems (IDS/IPS) to detect and block exploit attempts, malicious traffic patterns, and known C2 communication.
  • Web Application Firewall (WAF): Implement and tune WAF rules to protect public-facing web applications from common exploitation techniques. Ensure WAF is updated with the latest threat intelligence.
  • Disable Unnecessary Services: Disable or restrict access to services like SMBv1, RDP, and WinRM if not absolutely essential for business operations. Monitor for their unauthorized re-enabling.
  • Endpoint Security: Ensure all endpoint security solutions (EDR, antivirus) are up-to-date, configured for maximum protection (e.g., exploit protection, ransomware protection modules, behavioral analysis), and regularly scanned. Implement application whitelisting where possible.
  • Regular, Tested Backups: Maintain a robust backup strategy with offline, immutable, and regularly tested backups of critical data. Ensure backup systems are isolated and protected from the primary network.
• Manual Remediation Steps (Non-Automated):
  1. Isolate Infected Systems: Immediately disconnect any suspected infected machines from the network (both wired and wireless) to prevent further propagation. This includes disabling network interfaces and removing from domain.
  2. Identify and Eradicate Malware: Utilize forensic tools and EDR solutions to identify and remove ransomware executables, associated scripts, persistence mechanisms, and any other malicious artifacts. This may involve memory forensics.
  3. Restore from Clean Backups: If data has been encrypted, restore from known clean and verified backups. Prioritize critical systems and data. Perform integrity checks on restored data.
  4. Rebuild Compromised Systems: For systems with extensive compromise or uncertainty about complete eradication, a full rebuild from a trusted golden image is the most secure approach. This ensures no residual persistence.
  5. Security Posture Review: Conduct a thorough review of the entire security posture, including patch management, access controls, user awareness training, network configurations, and security tool efficacy.
  6. Credential Reset: Force password resets for all users, particularly privileged accounts and service accounts. Rotate any compromised credentials and review access logs for suspicious activity.
• Risk Assessment During Remediation:
  • Data Loss: The primary risk is permanent data loss if backups are unavailable, corrupted, or also compromised.
  • Extended Downtime: Remediation and restoration processes can lead to significant operational downtime, impacting business continuity and revenue.
  • Re-infection: The risk of re-infection remains high if the initial attack vector is not identified and neutralized, or if persistence mechanisms are missed.
  • Data Leakage: Even after successful remediation, the risk of exfiltrated data being leaked or sold on the dark web persists, leading to reputational and legal consequences.

6. Supply-Chain & Environment-Specific Impact

• CI/CD Impact: REvil affiliates could have targeted CI/CD pipelines to inject malicious code into software builds, compromising the integrity of software supply chains. This would involve compromising build servers, artifact repositories (e.g., npm, Docker Hub, PyPI), or developer workstations. The goal would be to distribute malware through seemingly legitimate software updates or deployments.
• Container/Kubernetes Impact: If REvil ransomware was deployed within containerized environments (e.g., Docker) or Kubernetes clusters, it could lead to widespread compromise. Exploitation of vulnerabilities in container images, container runtimes (e.g., containerd, CRI-O), or the Kubernetes control plane could have significant impact. Container isolation effectiveness depends heavily on proper configuration, runtime security, and the underlying vulnerability exploited. A compromised container could potentially break out of its isolation.
• Supply-Chain Implications: The RaaS model itself is a form of supply chain operation, where the "supply chain" consists of affiliates and their tools. The identification of key figures like developers and recruiters directly targets the core supply chain of the REvil operation. Furthermore, REvil affiliates could have compromised software vendors or managed service providers (MSPs) to gain access to their clients, representing a classic supply-chain attack vector. This was notably seen with the Kaseya VSA supply-chain attack, where REvil affiliates exploited vulnerabilities in Kaseya's remote management software.

7. Advanced Technical Analysis

• Exploitation Workflow (Detailed): The typical REvil exploitation workflow involved a sophisticated chain of events:
  1. Initial Access: Gaining entry via RDP compromise (often through brute-force or stolen credentials), successful phishing campaigns, or exploiting vulnerabilities in internet-facing applications (e.g., VPNs, web servers, email gateways).
  2. Reconnaissance & Privilege Escalation: Using tools like BloodHound, Mimikatz, PowerView, and ADExplorer to map the network topology, identify high-value targets (e.g., domain controllers, file servers), and escalate privileges to Domain Administrator. This phase is critical for achieving broad impact.
  3. Lateral Movement: Employing PsExec, WMI, PowerShell Remoting, or exploiting SMB vulnerabilities (e.g., EternalBlue, though less common for newer REvil variants) to spread across the domain and access critical servers.
  4. Data Exfiltration: Utilizing tools like Rclone, MegaSync, or custom scripts to exfiltrate sensitive data to attacker-controlled cloud storage or servers. This step is paramount for the double extortion tactic.
  5. Payload Deployment & Execution: Distributing the REvil ransomware executable and executing it on targeted systems. This was often achieved through scheduled tasks created via GPOs, PsExec, or other remote execution methods.
  6. Encryption & Shadow Copy Deletion: Encrypting files using strong encryption algorithms and deleting Volume Shadow Copies (vssadmin.exe) and overwriting free disk space (cipher.exe) to prevent easy recovery.
  7. Ransom Note Drop: Leaving ransom notes with instructions for payment and contact information in affected directories.
• Code-Level Weakness: The "weakness" of REvil was not a single code flaw but its sophisticated RaaS operational framework, which included:
  • Robust Encryption: Use of strong cryptographic algorithms (e.g., AES-256 for file encryption, RSA-2048 or higher for key management) to make decryption without the private key practically impossible.
  • Evasion Techniques: Code obfuscation, anti-debugging, anti-virtualization (detecting sandboxes and analysis environments), and the use of legitimate system binaries (Living Off The Land Binaries - LOLBAS) to evade detection by security software.
  • Secure C2 Infrastructure: Utilizing anonymized communication channels (e.g., Tor, custom protocols over HTTPS, DNS tunneling) for command and control, making it difficult to disrupt.
  • Affiliate Management Platform: A well-structured backend for recruiting, managing, and remunerating affiliates, facilitating scalability and operational efficiency.
• Related CVEs & Chaining: REvil affiliates exploited a wide range of vulnerabilities. Historically, ransomware groups like REvil have leveraged:
  • Microsoft Exchange Server vulnerabilities: Such as ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) and ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
  • VPN vulnerabilities: Including those affecting Fortinet (e.g., CVE-2018-13374, CVE-2019-5591) and Pulse Secure (e.g., CVE-2019-11510).
  • Remote Desktop Protocol (RDP) vulnerabilities: Such as BlueKeep (CVE-2019-0708), though often brute-forced rather than exploited via a specific CVE.
  • Log4j vulnerability (CVE-2021-44228): Potentially used for initial access or lateral movement within vulnerable systems.
    Chaining often involved exploiting one vulnerability for initial access, then using other techniques (e.g., credential dumping via Mimikatz, exploiting internal Active Directory vulnerabilities) for privilege escalation and lateral movement.
• Bypass Techniques:
  • EDR/AV Evasion: Employing fileless malware techniques, process injection, API hooking, code obfuscation, and leveraging legitimate system tools (LOLBAS) like powershell.exe, rundll32.exe, regsvr32.exe, certutil.exe for malicious purposes.
  • WAF Bypass: Using encoding techniques (URL, Base64), HTTP parameter pollution, fragmentation attacks, or exploiting misconfigurations in WAF rules.
  • Network Evasion: Encrypting C2 traffic, using Tor or other anonymizing networks, mimicking legitimate network protocols, and employing DNS tunneling for covert communication.
  • Sandbox Evasion: Detecting sandbox environments through timing attacks, checking for specific artifacts (e.g., lack of user interaction, specific process names), or delaying malicious execution until after sandbox analysis has completed.

8. Practical Lab Testing

• Safe Testing Environment Requirements:
  • Isolated Network Segment: A dedicated, air-gapped, or heavily segmented virtual network environment. This can be achieved using VLANs, dedicated physical hardware, or containerization platforms like Docker with strict network isolation. Ensure no routes to production networks exist.
  • Snapshotting Capabilities: The ability to create and revert system snapshots rapidly is crucial for resetting the environment after each test iteration.
  • Controlled Internet Access: Minimal or no direct internet access. If required for simulating C2 communication or payload downloads, use a proxy server that can log, filter, and block traffic to known malicious destinations.
  • Forensic and Monitoring Tools: Deployment of SIEM, EDR, network packet capture (Wireshark, tcpdump), and memory analysis tools (Volatility Framework) within the lab environment.
• How to Safely Test:
  1. Environment Setup: Deploy representative target systems (e.g., Windows Server, Windows 10, Linux) within the isolated lab network. Configure them to mimic production environments as closely as possible.
  2. Simulate Initial Access: Use publicly available tools or custom scripts to simulate common initial access vectors (e.g., RDP brute-forcing using Hydra, simulated phishing email delivery with attachments, exploiting a known vulnerable service in a controlled manner).
  3. Deploy Simulated Ransomware: Utilize ransomware simulation tools (e.g., WannaCry ransomware simulator, or custom scripts that mimic encryption behavior without actual data destruction) or known safe analysis samples obtained from reputable sources. Ensure these samples are contained.
  4. Monitor and Capture: Actively monitor system and network activity using EDR, SIEM, and packet capture tools throughout the simulation. Log all events meticulously.
  5. Validate Detection Rules: Run the developed SIEM detection queries and EDR alerts against the captured logs and events to verify their efficacy in detecting the simulated attack stages.
  6. Test Mitigation Controls: Apply simulated firewall rules, WAF policies, or endpoint security configurations and re-run tests to assess their effectiveness in blocking or detecting the simulated attack.
  7. Analyze and Revert: Thoroughly analyze the results, document findings, and then revert all systems to their clean snapshot state before the next test iteration.
• Test Metrics:
  • Detection Rate: Percentage of simulated attack stages or malicious activities successfully detected by security controls.
  • Time to Detect (TTD): Average time elapsed from the start of a simulated malicious activity to its detection by security systems.
  • Time to Respond (TTR): Average time from detection to successful containment or remediation of the simulated threat.
  • Encryption Speed/Volume (Simulated): Rate at which simulated files are encrypted and the percentage of targeted files affected within a defined timeframe.
  • Lateral Movement Success Rate: Percentage of simulated lateral movement attempts that are successful across the lab network.
  • Data Exfiltration Volume: Amount of simulated data successfully exfiltrated from the lab environment to a simulated external destination.

9. Geopolitical & Attribution Context

• Is there evidence of state-sponsored involvement? The BKA's announcement does not directly attribute REvil to a specific state actor. However, sophisticated RaaS operations often operate with a degree of tacit approval or tolerance from certain nation-states, particularly those where cybercrime is prevalent and law enforcement cooperation with international bodies is limited. The article mentions the FSB's involvement in arresting REvil members, indicating Russian law enforcement engagement, which is common in such cases involving cybercriminals operating from or through Russia.
• Targeted Sectors: The article highlights 130 attacks in Germany, indicating a broad targeting of German entities. Globally, REvil was known to target critical infrastructure, large enterprises in sectors like food processing (JBS), IT services (Kaseya), healthcare, and manufacturing, among others. Their targeting was primarily financially motivated, aiming for high-value organizations capable of paying large ransoms.
• Attribution Confidence: High confidence for the identification of Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk as key figures, based on the public statements and actions of the BKA, a credible law enforcement agency.
• Campaign Context: REvil was a major, highly active ransomware campaign that emerged around 2019 and continued until its significant disruption in late 2021. It was widely considered a successor to the GandCrab ransomware operation, inheriting its infrastructure, affiliate network, and operational tactics.
• If unknown: Not applicable, as specific individuals have been publicly identified by law enforcement.

10. References & Sources

• Original Source: Zerosday News - "REvil Ransomware Masterminds Identified: German Police Unmask Key Figures Behind Global Attacks" (Article date: April 6, 2026, as per provided text)
• Reporting Journalist: Brian Krebs (as cited in the original article)
• Law Enforcement Agency: Bundeskriminalamt (BKA), Germany
• Law Enforcement Agencies Involved in Related Actions: Romanian law enforcement, Russian Federal Security Service (FSB)
• Historical REvil Victim Disclosures: JBS, Kaseya, Acer
• Related Ransomware Operations: GandCrab
• Russian News Publication: Kommersant (cited for context on FSB actions)
• Official BKA Press Release: (If publicly available, would be cited here)
• CVE Records: (Relevant CVEs exploited by REvil affiliates, if applicable to specific attack vectors mentioned)