The BKA identifies Daniil Shchukin as the brain of the most cost-effective Ransomware group

The German Federal Criminal Police (BKA) has publicly declared what for years was a mystery in cybersecurity circles: the real identity of the main face behind the Ransomware REvil family, also known as Sodinokibi. Following an investigation that combines digital forensic techniques and international cooperation, the authorities have pointed to an individual operating under the pseudonym UNKN, who is now on the search list such as Daniil Maksimovich Shchukin, a 31-year-old Russian citizen. The announcement was collected by researchers and specialized journalists, including Brian Krebs and formalized in the communiqués of the BKA.

According to the allegations, Shchukin did not act alone: he would have been the public representative and one of the operational leaders of the extortion network who, at the time, reached great visibility for his business model "Ransomware- as- a- service" (RaaS). Along with him, authorities have identified Anatoly Sergeevitsch Kravchuk, 43, born in the city of Makiivka, as the developer who contributed to the technical core of malware. Both are involved in a long chain of incidents on German territory, where investigations attribute more than 100 million attacks and economic losses to the victims.

The RaaS scheme used by REvil allowed its operators to centralize the development of the malicious code while recruiting affiliates who launched the campaigns and negotiated bailouts. This structure facilitated the overall expansion of the group and its ability to achieve high-profile goals, such as large food companies and managed service providers that have been victims in recent years. The professional model and the outsourcing of the execution made REvil one of the most cost-effective and harmful threats of modern cybercrime.

In Germany, the figures that the BKA attributes to the duo are strong: about 130 attacks charged in that country, of which a fraction resulted in rescue payments (about 25 cases with payments amounting to almost EUR 2 million) and total economic damage which, according to police estimates, exceed EUR 30 million. These figures reflect not only the direct cost of bailouts, but also the operational, reputation losses and costs associated with the recovery and mitigation of intrusions.

The story of Revil is also a map of how cybercrime can be fragmented and reappeared. Originally as the evolution of the well-known GandCrab, the group reached its peak between 2019 and 2021, briefly disappearing in mid-2021 and leaving track until, in the fall of that same year, police operations against its infrastructure and international collaborations complicated its public visibility. This situation led to arrests and closures of data filtration sites in multiple countries, a response that highlighted the importance of cooperation between security forces. To understand the broader impact of the phenomenon and recommendations for organizations, it is useful to consult reference resources such as those published by the CISA.

The evolution of the case continued with legal manoeuvres and arrests that took place in different countries. Romanian and Russian authorities announced arrests of people linked to the network, and in 2022 the Russian security service (FSB) made public that it had disarticulated members related to the REvil family. Subsequent reports indicated criminal convictions for several involved, a development in the international press, including the coverage of Kommersant on judgments delivered in 2024.

Beyond the names and figures, the case includes episodes that illustrate the human nature behind many cybercriminals: in an interview held years ago, the actor who used the alias UNKN reported a past of deprivation and described its passage from marginality to a standard of living that he himself described as prosperous, as well as attributing to the organization a wide network of affiliates. This mix of personal narrative, technical skills and criminal opportunities partly explains why groups like REvil have been able to recruit talent and scale up their operations quickly. In order to read interviews and in-depth analysis of these protagonists, you can consult journalistic research and specialized reports, such as those published in The Record and other security platforms.

The case also leaves practical lessons for business and policy makers. First of all, the attribution and detention of individuals in cyberspace requires a combination of forensic techniques, collaborative intelligence and transnational political will. Secondly, the persistence of RaaS models highlights the need to invest in prevention: network segmentation, off-line backup, staff training and clear agreements for incident response. Finally, the evolution of REvil shows that closing a service or arresting some leaders is not a guarantee that the threat will disappear; knowledge and tools often mutate and reappear in other forms or in the hands of new actors.

In practice, this means that the fight against Ransomware must combine judicial persecution with proactive measures and better preparation of potential victims. As investigations around Shchukin and Kravchuk continue and authorities try to close the gaps that allow these criminal economies, organizations have a responsibility to learn from the recent past and strengthen their defenses. The history of REvil is, in short, a reminder that digital security is a continuous and collective work, in which public-private exchange of information and international cooperation are key elements in trying to prevent the recurrence of damage on a similar scale.