SecurityToday: Trellix source code breach – What vendor due diligence means for security tools<\/a><\/p>\nThe BKA Case in Detail<\/h2>\n
BKA investigations have been ongoing for over two years, running parallel to investigations by the US FBI and Europol, according to information from the agency. The identification of the alleged leader was achieved through a combination of cryptocurrency blockchain analysis, infiltrated affiliate networks, and traditional intelligence gathering from the darknet.<\/p>\n
The decisive operational breakthrough came, according to the BKA, through cryptocurrency transactions. Although REvil ransoms were laundered through mixers and exchange platforms, they left behind traces that could be tracked over several years. Blockchain forensics companies like Chainalysis supported this analysis – a now-standard method in ransomware investigations.<\/p>\n
What’s next: The BKA has filed arrest warrants. Extradition requests have been sent to several countries. The problem: REvil leadership is allegedly based in Russia or countries without a robust extradition agreement with Germany or the EU. Identification is one investigative success – arrest and trial are a different matter.<\/p>\n
Why Law Enforcement Struggles with Ransomware<\/h2>\n
The BKA case illustrates a fundamental problem. Ransomware operators don’t choose their location randomly. Russia, Belarus, Iran, North Korea – the countries from which the most active ransomware groups operate either have no extradition agreements with Western law enforcement or have actively hostile relationships.<\/p>\n
Even if identification is successful, attribution is not deterrence. REvil has “stopped” several times in 2022 due to internal conflicts and pressure from US authorities, only to continue under new names. The ransomware ecosystem is modular. Affiliates migrate to other groups. Infrastructure is rebuilt. A single arrest – if it were to happen – would slow down operations, not stop them.<\/p>\n
The BSI consistently describes in its situation reports: Ransomware is the threat with the highest potential economic damage for German companies. And at the same time, it is the threat where law enforcement has the least deterrent effect – because perpetrators remain out of reach.<\/p>\n
What Security Teams Can Learn from the Case<\/h2>\n
For CISOs and security teams in German companies, the BKA’s success is neutral from an operational perspective. The threat from REvil affiliates and successor groups remains. What can be derived:<\/p>\n
Blockchain forensics is a mature investigative approach.<\/strong> Those who pay ransoms leave a trail – this is not an argument against payment in emergency situations, but an argument for documenting transactions. Authorities use this data for later law enforcement and sanctions checks.<\/p>\nAffiliate networks remain the actual attack infrastructure.<\/strong> REvil leaders design tools and tactics. Affiliates carry out attacks, which are decided separately for each attack. A weakened core group does not mean fewer attacks.<\/p>\nIncident response planning remains the primary protective measure.<\/strong> Backup strategy, network segmentation, EDR coverage, offline backups – these are the levers that a security team controls. Law enforcement successes are no substitute for this.<\/p>\nSources: BKA press release April 2026, BSI situation report 2025, Europol Joint Investigation Team Ransomware.<\/em><\/p>\nFrequently Asked Questions<\/h2>\nHow realistic is the arrest of the identified REvil leader?<\/h3>\n
Very low, as long as the person remains in a country without an extradition agreement with Germany or the EU. The BKA can issue arrest warrants and Interpol Red Notices. This will only be effective when the person enters a country that initiates extradition proceedings – which has historically been rare for Russia-based ransomware operators. The symbolic value of attribution outweighs the operational value.<\/p>\n
Is REvil weakened as a threat after the BKA’s success?<\/h3>\n
Not operationally. REvil has “stopped” as a group several times since 2022 and has continued under new names or as splinter groups. The affiliate model means that attacks continue even if the core group is weakened. Security teams should not assume a reduced threat level.<\/p>\n
What does cryptocurrency forensics mean for companies that have paid ransoms?<\/h3>\n
Ransom transactions are tracked by authorities and can be relevant for sanctions checks – especially if the recipient is later classified as a sanctioned person or group. Companies that have paid ransoms should document transactions and seek legal advice on potential sanctions risks. The OFAC (US Treasury Department) has published explicit guidelines for ransomware payments to sanctioned groups.<\/p>\n
How do REvil successor groups differ from the original organization?<\/h3>\n
REvil offshoots and successors like BlackMatter and ALPHV\/BlackCat adopt technical methods and affiliate structures, but operate independently. The key differences: different encryption tools, different infrastructure hosting strategies, and different negotiation methods with victims. The BSI and CISA publish current information on known REvil successors in their regular situation reports.<\/p>\n
What can KRITIS operators specifically learn from the case?<\/h3>\n
Three lessons: First, law enforcement doesn’t provide prospective protection – your own defenses must work regardless of whether perpetrators are arrested. Second, blockchain forensics means that ransom payments can be traced permanently – this has legal implications for later sanctions checks. Third, affiliate structures mean that the loss of a core actor doesn’t immediately provide protective effects. Incident response planning and offline backup strategies remain the most effective measures.<\/p>\n
Source title image: Pexels \/ Fatih Kopcal (px:32933039)<\/p>\n","protected":false},"excerpt":{"rendered":"7 Min. Read Time At the end of April 2026, the BKA identified the alleged leader of the REvil group and initiated an international arrest warrant request. 130 documented attacks on German targets, damages of at least 35 million Euro in Germany alone. And yet: the structural obstacles to successful prosecution in ransomware cases remain […]","protected":false},"author":50,"featured_media":13970,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"BKA RE","_yoast_wpseo_title":"BKA Hunts REvil Leader After 130 Attacks on German Targets","_yoast_wpseo_metadesc":"BKA identifies REvil leader: 130 attacks on German targets, \u20ac35 million in damages. Why law enforcement still fails against ransomware.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/bka-revil-anfuehrer-130-angriffe-deutschland-strafverfolgung-ransomware-2026-cover-hero-1.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/bka-revil-anfuehrer-130-angriffe-deutschland-strafverfolgung-ransomware-2026-cover-hero-1.jpg","_yoast_wpseo_twitter-image-id":0,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-14143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aktuelles"],"wpml_language":"en","wpml_translation_of":13960,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=14143"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14143\/revisions"}],"predecessor-version":[{"id":14585,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/14143\/revisions\/14585"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/13970"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=14143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=14143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=14143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}