The Shadows Behind the Ransom: German Police Unmask REvil and GandCrab Kingpins

For years, the masterminds behind the infamous GandCrab and REvil ransomware groups operated in the murky underworld of cybercrime, orchestrating audacious attacks that crippled businesses, extorted millions, and confounded global law enforcement. Now, the shadows are receding: Germany’s Federal Police (BKA) have put names and faces to the elusive figures who terrorized the digital world - unmasking Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk as the ringleaders of these criminal syndicates.

Between 2019 and 2021, Shchukin - known online as “UNKN” or “UNKNOWN” - and Kravchuk orchestrated a reign of ransomware terror, targeting at least 130 companies in Germany alone. The BKA’s investigation reveals their sophisticated approach: leveraging cybercrime forums, recruiting affiliates, and extorting payments with ruthless efficiency. Their operations netted at least $2.2 million in paid ransoms from German victims, with the actual financial impact soaring past $40 million.

The story of these groups is a case study in cybercriminal innovation. GandCrab emerged in early 2018, pioneering the “ransomware-as-a-service” affiliate model. This allowed a network of partners to use their malware in exchange for a share of the profits. After GandCrab’s supposed retirement in 2019 - with its leader claiming to have earned $2 billion - REvil (also called Sodinokibi) rose from its ashes. Many of REvil’s operators were former GandCrab affiliates, now armed with insider knowledge and new tactics.

REvil escalated the game, introducing public leak sites and auctioning stolen data to further pressure victims. Their high-profile hits included attacks on Texas local governments, tech giant Acer, and the devastating Kaseya supply-chain attack, which rippled through 1,500 downstream companies globally. The group’s brazen activities eventually drew the full attention of international law enforcement. After a brief disappearance post-Kaseya, their infrastructure was infiltrated by law enforcement, and Russia made high-profile arrests in early 2022 - though most suspects were released after serving sentences for unrelated crimes.

Despite these disruptions, the key figures - Shchukin and Kravchuk - remained at large. Now, with their identities exposed and their faces circulating on Europe’s Most Wanted lists, authorities hope to bring them to justice. The BKA’s public appeal, including tattoo photos and personal details, signals a new phase in the hunt for cybercriminals: one where anonymity is no longer guaranteed, and the digital underworld’s most powerful actors can find themselves dragged into the light.

The unmasking of the REvil and GandCrab kingpins is a milestone, but also a reminder: as law enforcement adapts, so do cybercriminals. The battle for the digital frontier remains relentless - and the next masterminds are already waiting in the wings.

WIKICROOK

• Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
• Affiliate Model: The affiliate model is a cybercrime business structure where hackers recruit partners to distribute malware in exchange for a share of the illicit profits.
• Supply: A supply chain attack targets third-party vendors or services to compromise multiple organizations by exploiting trusted external relationships.
• Leak Site: A leak site is a website where cybercriminals post or threaten to post stolen data to pressure victims into paying a ransom.
• Carding: Carding is the illegal use or trade of stolen credit card data for fraudulent purchases or resale on underground markets.