German authorities identify REvil and GandCrab ransomware bosses
German authorities have publicly identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as the elusive hacker known as “UNKN,” who led the GandCrab and REvil ransomware groups responsible for at least 130 attacks targeting German companies between 2019 and 2021. Alongside Shchukin, 43-year-old Anatoly Sergeevitsch Kravchuk was also named as a co-leader in these operations. Together, they extorted roughly €2 million directly from victims, causing an estimated €35-40 million in total economic damage including downtime and recovery costs.
Main Analysis
GandCrab, which launched in early 2018, was one of the first ransomware-as-a-service (RaaS) operations to pioneer double extortion—demanding ransom payments both for decrypting data and for withholding stolen information. The group abruptly retired in mid-2019 after claiming to have extorted over $2 billion worldwide, with its leader cashing out approximately $150 million. REvil emerged shortly after as a successor, composed largely of former GandCrab affiliates, and expanded the model by adding public leak sites and data auctions to pressure victims. REvil’s affiliate model allowed the group to scale attacks rapidly, focusing on large organizations with annual revenues exceeding $100 million and substantial cyber insurance coverage. Notable incidents include the 2021 Kaseya supply-chain attack, which impacted around 1,500 downstream companies globally, and the JBS meatpacking ransomware attack that disrupted food supply chains. German investigators traced the group’s sophisticated infrastructure, including cryptocurrency wallets, and linked Shchukin and Kravchuk to these operations through blockchain analysis and digital forensics. The German Federal Police (BKA) coordinated with international agencies and cybersecurity firms to analyze over 10 terabytes of data, reconstruct attack timelines, and identify the operators’ preferred initial access vectors such as unpatched VPNs, compromised remote desktop protocols, and phishing campaigns targeting privileged accounts. Despite the identification, both suspects are believed to reside in Russia, which lacks an extradition treaty with Germany, limiting the prospects for arrest and prosecution. Publicly naming Shchukin and Kravchuk serves multiple strategic purposes: disrupting their ability to operate internationally, deterring affiliates and collaborators, and undermining the sense of impunity fostered by Russia’s safe harbor status for ransomware operators. The exposure also signals a maturation of cross-border cyber attribution capabilities, demonstrating that even highly cautious operators like UNKN can be unmasked. The unmasking does not signal an end to the ransomware threat. Many former REvil affiliates have migrated to successor groups such as BlackCat/ALPHV and LockBit, continuing to deploy similar tactics and tooling. Organizations are urged to prioritize patching remote access vulnerabilities, implement immutable backups, conduct ransomware-specific incident response exercises, and review cyber insurance policies in light of evolving attribution and legal landscapes. For victims of the 2019-2021 attacks, this development may have implications for legal restitution and insurance claims, as international law enforcement continues to pursue accountability despite jurisdictional challenges. Meanwhile, the operational techniques and affiliate structures pioneered under Shchukin’s leadership remain active, underscoring the need for sustained vigilance and robust cybersecurity defenses.
