Germany unmasks REvil and GandCrab ransomware leader 'UNKN' as Russian national Daniil Shchukin

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

Germany’s Federal Criminal Police (BKA — Bundeskriminalamt) has publicly identified two key figures behind the REvil (Sodinokibi) and GandCrab ransomware-as-a-service operations:

• Daniil Maksimovich Shchukin, 31, a Russian national who operated under the alias UNKN (also known as UNKNOWN). He led the ransomware groups from early 2019 through at least July 2021, acting as both promoter and operational leader on the XSS cybercrime forum.
• Anatoly Sergeevitsch Kravchuk, 43, a Russian born in Makiivka, Ukraine. He served as the developer of the REvil ransomware during the same period.

The BKA linked the pair to over 130 ransomware attacks against German organizations. Of those, 25 resulted in ransom payments totaling €1.9 million ($2.19 million), while total economic damage exceeded €35.4 million ($40.8 million).

Both suspects are now on international wanted lists. German authorities believe Shchukin currently resides in Krasnodar, Russia, placing him beyond the immediate reach of extradition.

Why this matters

GandCrab and REvil were not ordinary ransomware operations — they pioneered the double extortion model that is now standard across the ransomware ecosystem. Victims were charged once for decryption keys and a second time for a promise not to publish stolen data.

Key milestones in the GandCrab/REvil timeline:

• January 2018: GandCrab launched as a ransomware affiliate program
• May 2019: GandCrab “retired” after claiming $2 billion in total extortion
• June 2019: REvil appeared, fronted by UNKN with a $1 million escrow deposit on a cybercrime forum
• 2021: REvil hit major targets including JBS (global meat supplier) and Kaseya (MSP platform), affecting thousands of downstream organizations
• July 2021: REvil went offline; later disrupted by law enforcement
• January 2022: Russia’s FSB arrested several REvil members; four were later sentenced

Security researcher Brian Krebs connected Shchukin to earlier cybercrime activity under the alias Ger0in, linked to botnet operations and malware distribution between 2010 and 2011. Shchukin’s name also appeared in a February 2023 U.S. Department of Justice filing seeking seizure of cryptocurrency wallets containing over $317,000 tied to REvil proceeds.

In a 2021 interview with Recorded Future, UNKN described a rags-to-riches story: “As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the school. Now I am a millionaire.”

What this means for defenders

While REvil itself is defunct, the techniques and business model it popularized are now used by virtually every major ransomware group, including LockBit, BlackCat/ALPHV, Qilin, and Cl0p. Understanding UNKN’s operational history helps contextualize how the modern ransomware economy was built.

The unmasking sends a signal: anonymity in ransomware operations has a shelf life. Even operators based in Russia — long considered beyond law enforcement reach — can eventually be identified through sustained international investigation.

How to check if you’re affected

Who should care

• Organizations that were victims of GandCrab or REvil attacks between 2018 and 2021
• Companies that paid ransoms during that period and may have legal or insurance implications
• Incident response teams tracking ransomware lineage for attribution

Concrete steps (15–30 minutes)

1. Review historical incident records

   • If your organization was hit by GandCrab or REvil between 2018–2021, this attribution may be relevant for ongoing legal proceedings, insurance claims, or law enforcement coordination
   • Check if any prior incident reports reference Sodinokibi, GandCrab, UNKN, or REvil

2. Assess current ransomware defenses against double-extortion tactics

   • REvil’s playbook (initial access → lateral movement → data exfiltration → encryption → extortion) is the template used by current groups
   • Verify your organization has:
     • Immutable or air-gapped backups tested for restore
     • Data Loss Prevention (DLP) controls monitoring for bulk exfiltration
     • Network segmentation limiting lateral movement
     • EDR coverage on all endpoints, including servers

3. Check for BYOVD and EDR-evasion indicators

   • Current REvil successors (Qilin, Warlock) use Bring Your Own Vulnerable Driver (BYOVD) techniques to disable EDR
   • Audit driver-loading events (Windows Event ID 7045 for service installations)
   • Cross-reference loaded drivers against the LOLDrivers database

4. Validate ransomware incident response readiness

   • Confirm your IR playbook covers double-extortion scenarios (encryption + data leak threat)
   • Ensure legal counsel is pre-engaged for ransom negotiation decisions
   • Test backup restoration procedures — don’t assume they work until verified

5. Monitor for successor operations

   • Ransomware groups rebrand frequently. REvil was a rebrand of GandCrab. Track current active groups through threat intelligence feeds
   • Subscribe to CISA ransomware advisories and FBI IC3 alerts

Bottom line

The BKA has put a name and face on one of the most consequential figures in ransomware history. While Shchukin remains at large in Russia, the identification closes a chapter on GandCrab/REvil attribution and underscores that international law enforcement continues to chip away at ransomware operator anonymity — even years after the operations shut down.

Sources

• BKA Wanted Notice — Daniil Maksimovich Shchukin
• BKA Wanted Notice — Anatoly Sergeevitsch Kravchuk
• Krebs on Security — Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
• The Hacker News — BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks
• Security Affairs — BKA unmasks two REvil Ransomware operators behind 130+ German attacks