Executive Summary
In April 2026, Germany's Federal Criminal Police Office (BKA) unmasked the identities of two key figures associated with the REvil ransomware-as-a-service (RaaS) operation. Daniil Maksimovich Shchukin, known online as 'UNKN,' and Anatoly Sergeevitsch Kravchuk were linked to 130 ransomware attacks across Germany, resulting in over €35.4 million in damages. The REvil group, active from 2019 to 2021, targeted high-profile organizations, demanding substantial ransoms in exchange for decrypting and not leaking data. (thehackernews.com)
This revelation underscores the persistent threat posed by sophisticated ransomware groups and highlights the importance of international cooperation in cybercrime investigations. Organizations must remain vigilant, as the tactics employed by groups like REvil continue to evolve, posing significant risks to global cybersecurity.
Why This Matters Now
The identification of REvil's leaders highlights the ongoing threat of ransomware attacks and the necessity for robust cybersecurity measures. Organizations must stay informed about evolving cyber threats and strengthen their defenses to mitigate potential risks.
Attack Path Analysis
The REvil ransomware group exploited a zero-day vulnerability in Kaseya's VSA software to gain initial access to managed service providers (MSPs). They escalated privileges by leveraging the administrative rights inherent in the VSA platform, allowing them to deploy ransomware across client networks. The attackers moved laterally through interconnected systems managed by the compromised MSPs, distributing the ransomware payload. They established command and control by executing malicious scripts via the VSA platform, maintaining control over the infected systems. Data exfiltration was conducted by transferring sensitive information to external servers before encryption. Finally, the ransomware encrypted critical data and systems, rendering them inoperable and demanding ransom payments from the victims.
Kill Chain Progression
Initial Compromise
Description
Exploited a zero-day vulnerability in Kaseya's VSA software to gain access to MSPs.
Related CVEs
CVE-2021-30116
CVSS 9.8A vulnerability in Kaseya VSA allows remote code execution, enabling attackers to deploy ransomware.
Affected Products:
Kaseya VSA – < 9.5.7
Exploit Status:
exploited in the wildCVE-2019-11510
CVSS 10An arbitrary file read vulnerability in Pulse Secure VPN allows unauthenticated remote attackers to access sensitive files.
Affected Products:
Pulse Secure Pulse Connect Secure – < 9.1R12
Exploit Status:
exploited in the wildCVE-2019-19781
CVSS 9.8A directory traversal vulnerability in Citrix ADC and Gateway allows unauthenticated remote attackers to execute arbitrary code.
Affected Products:
Citrix ADC – < 12.1.55.18
Citrix Gateway – < 12.1.55.18
Exploit Status:
exploited in the wildCVE-2018-13379
CVSS 9.8A path traversal vulnerability in Fortinet FortiOS SSL VPN web portal allows unauthenticated attackers to download system files.
Affected Products:
Fortinet FortiOS – < 5.6.8, < 6.0.5
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Data Encrypted for Impact
Valid Accounts
Phishing
Inhibit System Recovery
Service Stop
Data Destruction
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management
Control ID: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
REvil ransomware targeting creates severe risks for financial institutions through lateral movement, data exfiltration, and encrypted traffic vulnerabilities requiring enhanced segmentation.
Health Care / Life Sciences
Healthcare systems face critical exposure to REvil ransomware attacks through east-west traffic exploitation, HIPAA compliance violations, and encrypted data exfiltration threats.
Government Administration
Government entities remain prime REvil ransomware targets with significant risks from privilege escalation, command control communications, and sensitive data compromise scenarios.
Information Technology/IT
IT sector faces heightened REvil ransomware exposure through multicloud environments, requiring enhanced zero trust segmentation and comprehensive threat detection capabilities.
Sources
- BKA Identifies REvil Leaders Behind 130 German Ransomware Attackshttps://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.htmlVerified
- Kaseya REvil Ransomware Attack (CVE-2021-30116) – Automatically Discover and Prioritize Using Qualys VMDRhttps://blog.qualys.com/product-tech/2021/07/08/kaseya-revil-ransomware-attack-cve-2021-30116-automatically-discover-and-prioritize-using-qualys-vmdrVerified
- REvil ransomware exploiting VPN flaws made public last Aprilhttps://www.sophos.com/en-us/blog/revil-ransomware-exploiting-vpn-flaws-made-public-last-aprilVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, and move laterally, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the zero-day vulnerability may have been limited, reducing the likelihood of initial access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and deploy ransomware may have been constrained, limiting the scope of the attack.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement through interconnected systems may have been limited, reducing the spread of ransomware.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain control over infected systems may have been constrained, limiting the duration of the attack.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been limited, reducing data loss.
The attacker's ability to encrypt critical data and systems may have been constrained, limiting the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- IT Infrastructure Management
- Data Security
- Customer Service
Estimated downtime: 21 days
Estimated loss: $40,800,000
Potential exposure of sensitive customer and corporate data due to ransomware encryption and exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of ransomware within networks.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic, detecting unauthorized movements.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights across cloud environments, identifying anomalies.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and block malicious outbound traffic.
- • Establish robust Threat Detection & Anomaly Response mechanisms to swiftly identify and respond to suspicious activities.
