8 Critical Facts Behind Germany's Unmasking of REvil and GandCrab Leader UNKN

In a major breakthrough against international cybercrime, German authorities have finally put a name and face to one of the most elusive ransomware kingpins. The individual known online as 'UNKN' or 'UNKNOWN' orchestrated two of the most devastating ransomware operations in history: GandCrab and REvil. Here are eight essential facts about this case, the gangs involved, and the impact of their crimes.

1. The Real Identity of UNKN

For years, the cybercriminal mastermind behind the GandCrab and REvil ransomware gangs operated under the alias 'UNKN' (short for UNKNOWN). In a recent advisory, the German Federal Criminal Police (Bundeskriminalamt, or BKA) identified him as Daniil Maksimovich Shchukin, a 31-year-old Russian national. This revelation came after extensive investigation into a series of cyberattacks that plagued German companies and institutions between 2019 and 2021.

2. The Scale of the Criminal Operation

Shchukin is accused of leading both GandCrab and REvil, which are considered among the largest ransomware groups worldwide. The BKA states that Shchukin, along with an accomplice named Anatoly Sergeevitsch Kravchuk (43, also Russian), was responsible for at least 130 acts of computer sabotage and extortion. These attacks targeted victims across Germany and demanded nearly €2 million in ransom payments, with total economic damages exceeding €35 million.

3. Pioneering Double Extortion

GandCrab and REvil are infamous for pioneering the double extortion tactic. Victims were first charged a ransom to decrypt their locked systems. If they refused, the attackers threatened to publish stolen sensitive data unless a second payment was made. This aggressive strategy forced many organizations to pay, fearing regulatory fines or reputational harm from data leaks.

4. The Rise and Shutdown of GandCrab

GandCrab first appeared in January 2018 as a ransomware-as-a-service (RaaS) program. Affiliates would hack into corporate networks, and the core team would escalate access and exfiltrate data. The malware underwent five major revisions, each adding stealth features and evading security software. On May 31, 2019, the group announced its shutdown, claiming to have extorted over $2 billion from victims. Their farewell message boasted: "We are a living proof that you can do evil and get off scot-free" and "We have proved that you can become number one by general admission."

5. REvil: The Successor Gang

Almost immediately after GandCrab's closure, a new ransomware group called REvil emerged, led by the same user UNKNOWN. To prove his seriousness on a Russian cybercrime forum, UNKNOWN deposited $1 million in escrow. Security researchers quickly noted that REvil appeared to be a rebranded version of GandCrab, using similar code and tactics. The group continued the double extortion model and targeted major corporations worldwide.

6. Shchukin's Digital Footprint

Shchukin's name surfaced in a February 2023 U.S. Department of Justice filing that sought seizure of cryptocurrency accounts linked to REvil proceeds. Authorities identified a digital wallet tied to Shchukin containing over $317,000 in illicit cryptocurrency. This financial trail, combined with intelligence from international partners, helped German police connect the alias to the real person.

7. The Role of Anatoly Kravchuk

While Shchukin is considered the head of the operations, his accomplice Anatoly Sergeevitsch Kravchuk played a key role. The BKA alleges that Kravchuk assisted in carrying out the extortion schemes and managing ransomware deployments. Both men are now wanted by German authorities, and international warrants have been issued for their arrest.

8. Ongoing Impact and Lessons

The unmasking of UNKN marks a significant win for law enforcement, but the battle against ransomware continues. Many affiliates and members of these gangs remain at large. The case highlights the importance of international cooperation in cybercrime investigations and the need for organizations to adopt robust backup, incident response, and employee training protocols. As the digital underworld evolves, staying vigilant is more critical than ever.

In conclusion, the identification of Daniil Maksimovich Shchukin as UNKN sends a clear message: no criminal is truly anonymous. While the gangs may have caused billions in damages, authorities are closing the net. For businesses worldwide, the lessons of GandCrab and REvil underscore the necessity of proactive cybersecurity measures to thwart future attacks.