German authorities have identified two key leaders of the notorious REvil ransomware gang responsible for over 130 attacks in the country. The Federal Criminal Police Office (BKA) announced the breakthrough, which links real identities to the online aliases of high-ranking members of the now-defunct cybercrime operation.
Unmasking the Threat Actors
One of the identified individuals used the online alias “UNKN.” According to the BKA, this person acted as a representative for the REvil group. Their activities included advertising the ransomware-as-a-service (RaaS) platform on the XSS cybercrime forum as early as June 2019.
The second individual remains unnamed in public reports but is described as a central administrator for the criminal enterprise. The identifications are the result of a complex, long-term investigation involving international cooperation.
Scope of the Damage in Germany
The REvil syndicate, also known as Sodinokibi, is linked to a minimum of 130 successful ransomware attacks targeting German entities. These attacks encrypted victims’ data and demanded substantial cryptocurrency payments for decryption keys.
While the BKA did not release a full list of victims, ransomware groups like REvil typically target a wide range of organizations. This includes businesses, municipal institutions, hospitals, and critical infrastructure providers, leading to significant operational and financial damage.
International Investigation and Takedown
The REvil operation was a prominent ransomware-as-a-service model. Core developers maintained and updated the malicious software, which was then leased to affiliated cybercriminals, known as affiliates, who carried out the actual attacks.
This business model amplified the threat, leading to a global wave of incidents. The group’s high-profile attacks, including one on a major meat processor in 2021, drew intense scrutiny from law enforcement worldwide.
A coordinated international effort, involving agencies from the United States, Romania, and South Korea, among others, ultimately disrupted the REvil infrastructure in 2022. The BKA’s recent announcement provides a crucial postscript to that takedown by putting names to key figures.
Legal Proceedings and Future Steps
With the identities established, German prosecutors can now pursue formal charges. The individuals are suspected of being members of a criminal organization, computer sabotage, and extortion.
The BKA emphasized that the investigation is ongoing and further arrests, both in Germany and abroad, cannot be ruled out. Authorities continue to analyze seized data for evidence linking the suspects to specific attacks and for identifying their financial networks.
This development signals a shift toward holding the architects of ransomware campaigns accountable, not just the lower-level affiliates. Law enforcement agencies are increasingly focusing on the administrative and development layers of these cybercriminal groups.
Source: BKA Press Release
