The German Federal Criminal Police (also known as BKA or Bundeskcriminalamt) has revealed the identity of the main threat actor associated with the now-defunct REvil (also known as Sodinokibi) ransomware-as-a-service (RaaS) operation.
The actor, who goes by the alias UNKN, acts as a representative for the group and promoted ransomware on the XSS cybercrime forum in June 2019. He has now been identified as Daniil Maksimovich Shchukin, a 31-year-old Russian national. It was also known online as Oneiilk2, Oneillk2, Oneillk22, and GandCrab.
This development was reported by independent security journalist Brian Krebs.
“From at least early 2019 until at least July 2021, the wanted individual acted in collaboration with others as the leader of one of the world’s largest ransomware groups known as GandCrab/REvil,” BKA said. “The perpetrators demanded a large ransom payment in exchange for the data being decrypted and not leaked.”
Anatoly Sergeyevich Kravchuk, a 43-year-old Russian national born in the Ukrainian city of Makiivka, was also added to the wanted list. It is said that he worked as a developer of REvil around the same time.
Shchukin and Kravchuk are suspected of carrying out 130 ransomware attacks across Germany. Of these, 25 resulted in payments of 1.9 million euros ($2.19 million). In total, these incidents resulted in financial damages in excess of €35.4 million ($40.8 million).
REvil (also known as Water Mare and Gold Southfield) is one of the prolific ransomware groups that counts companies like JBS and Kaseya among its victims. E-Crime Team, an evolution of GandCrab ransomware, mysteriously went offline in mid-July 2021, but resurfaced two months later.
By October 2021, the group had ceased operations and the data breach site was no longer accessible as part of a law enforcement operation. A few weeks later, Romanian law enforcement officials announced the arrest of two individuals associated with the REvil ransomware family.
In an unprecedented move, Russia’s Federal Security Service (FSB) announced in January 2022 that it had arrested several members of the notorious ransomware gang REvil and neutralized its operations. Four of these members were sentenced to multi-year prison terms in October 2024, according to a report in Russian news publication Kommersant.
UNKN also disappeared from cybercrime forums at the same time as this operation, prompting another user, REvil (later renamed 0_neday), to become the public face of the gang’s operations.
In a March 2021 interview with Recorded Future’s Dmitry Smilyanets, UNKN said that it had been in the ransomware business since 2007, and at one time had as many as 60 affiliated companies working for the group.
“When I was a child, I scavenged through garbage piles and smoked cigarette butts.I walked 10 kilometers each way to school,” he said. “I wore the same clothes for six months. When I was young, I lived in a communal apartment and didn’t eat for two or three days. Now I’m a millionaire.”
Source link
