German Authorities Identify Key Figure Behind REvil and GandCrab Ransomware Operations
German law enforcement has linked a 31-year-old Russian national, Daniil Maksimovich Shchukin, to some of the most prolific ransomware attacks in recent years. Operating under the alias "UNKN" (or "UNKNOWN"), Shchukin is accused of leading both the GandCrab and REvil ransomware gangs, which were responsible for at least 130 cyberattacks in Germany between 2019 and 2021.
The investigation, led by Germany’s Federal Criminal Police (BKA), alleges that Shchukin and another suspect, Anatoly Sergeevitsch Kravchuk, extorted nearly €2 million while causing over €35 million in economic damage. Both groups pioneered the "double extortion" tactic demanding payment for decryption keys while threatening to leak stolen data now a standard practice among ransomware gangs.
From GandCrab to REvil: A Cybercrime Evolution
The GandCrab ransomware operation emerged in 2018, leveraging an affiliate model where hackers shared profits in exchange for breaching systems. By May 2019, the group claimed earnings of $2 billion before shutting down. Shortly after, REvil appeared, widely believed to be a rebrand or successor. Under Shchukin’s leadership, REvil adopted "big-game hunting" targeting large enterprises with cyber insurance, increasing the likelihood of massive payouts.
The Industrialization of Ransomware
REvil’s operations resembled a corporate enterprise, outsourcing tasks like initial access, encryption, and money laundering to specialized actors. This underground ecosystem allowed ransomware gangs to scale rapidly, reinvest profits, and refine their tools, making attacks more sophisticated and harder to counter.
High-Profile Attacks and Law Enforcement Crackdown
REvil gained global notoriety in 2021 after the Kaseya attack, which disrupted over 1,500 businesses worldwide. The incident marked a turning point the FBI had already infiltrated REvil’s infrastructure but delayed action to avoid tipping off the group. Subsequent disruptions, including the release of a free decryption key, crippled REvil’s operations.
Financial Trails and Unanswered Questions
Shchukin’s identity surfaced in a 2023 U.S. Department of Justice filing, linking him to cryptocurrency wallets holding $317,000 in illicit funds. However, German authorities believe he remains in Russia, beyond immediate extradition reach.
While the identification of a key REvil figure is a rare law enforcement victory, the ransomware ecosystem they helped build remains intact. The tactics, tools, and business models pioneered by GandCrab and REvil continue to shape modern cybercrime, underscoring the persistent threat of organized ransomware operations.
Source: https://thecyberexpress.com/revil-ransomware-gang-leader-identified/
BleepingComputer cybersecurity rating report: https://www.rankiteo.com/company/bleepingcomputer
"id": "BLE1775550609",
"linkid": "bleepingcomputer",
"type": "Ransomware",
"date": "1/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,500+ businesses (Kaseya '
'attack)',
'location': 'Germany',
'size': 'Large (cyber-insured)',
'type': 'Enterprises'}],
'attack_vector': ['Affiliate model',
'Initial access brokers',
'Big-game hunting'],
'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High (used for double extortion)',
'type_of_data_compromised': ['Stolen data for extortion']},
'description': 'German law enforcement has linked a 31-year-old Russian '
'national, Daniil Maksimovich Shchukin, to some of the most '
'prolific ransomware attacks in recent years. Operating under '
"the alias 'UNKN' (or 'UNKNOWN'), Shchukin is accused of "
'leading both the GandCrab and REvil ransomware gangs, which '
'were responsible for at least 130 cyberattacks in Germany '
'between 2019 and 2021. The investigation alleges that '
'Shchukin and another suspect extorted nearly €2 million while '
'causing over €35 million in economic damage. Both groups '
"pioneered the 'double extortion' tactic, demanding payment "
'for decryption keys while threatening to leak stolen data.',
'impact': {'data_compromised': 'Stolen data leaked as part of double '
'extortion',
'financial_loss': '€35 million in economic damage',
'operational_impact': 'Disrupted over 1,500 businesses worldwide '
'(Kaseya attack)'},
'initial_access_broker': {'high_value_targets': 'Large enterprises with cyber '
'insurance'},
'investigation_status': 'Ongoing (suspect identified but not extradited)',
'lessons_learned': 'The ransomware ecosystem remains intact despite law '
'enforcement victories. Tactics like double extortion and '
'big-game hunting continue to evolve.',
'motivation': ['Financial gain', 'Extortion'],
'post_incident_analysis': {'root_causes': ['Affiliate model enabling '
'scalability',
'Specialized underground ecosystem',
'Big-game hunting targeting '
'high-value victims']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (double extortion)',
'ransom_paid': 'Nearly €2 million extorted',
'ransomware_strain': ['GandCrab', 'REvil']},
'references': [{'source': 'U.S. Department of Justice filing (2023)'},
{'source': 'German Federal Criminal Police (BKA) '
'investigation'}],
'response': {'containment_measures': 'FBI infiltrated REvil’s infrastructure, '
'released decryption key',
'law_enforcement_notified': 'Yes (BKA, FBI)'},
'threat_actor': ['Daniil Maksimovich Shchukin (UNKN)',
'Anatoly Sergeevitsch Kravchuk'],
'title': 'German Authorities Identify Key Figure Behind REvil and GandCrab '
'Ransomware Operations',
'type': 'Ransomware'}