Germany Identifies “UNKN,” Leader of Russian Ransomware Gangs REvil and GandCrab, Responsible for 130 Cyberattacks

Authorities in Germany have unveiled the identity of a notorious hacker known as “UNKN,” revealing that 31-year-old Daniil Maksimovich Shchukin led the infamous ransomware groups GandCrab and REvil. Between 2019 and 2021, Shchukin orchestrated at least 130 acts of computer sabotage and extortion, targeting victims across Germany.

Identification and Charges

The German Federal Criminal Police, known as the Bundeskriminalamt (BKA), disclosed Shchukin’s identity in an advisory. Alongside 43-year-old Anatoly Sergeevitsch Kravchuk, Shchukin is accused of extorting nearly €2 million through two dozen cyberattacks, which collectively inflicted over €35 million in economic damage. The BKA’s findings highlight the significant impact of these cybercriminal activities on both individuals and organizations.

Ransomware Operations

Shchukin’s leadership in GandCrab and REvil marked a pivotal moment in the evolution of ransomware tactics. These groups were among the first to implement a double extortion strategy, demanding payment not only for decrypting compromised systems but also for a promise not to publish stolen data. This innovative approach has since become a hallmark of ransomware operations.

In February 2023, the U.S. Justice Department filed a request to seize various cryptocurrency accounts linked to Shchukin, revealing that his digital wallet contained over $317,000 in illicit cryptocurrency. This underscores the financial incentives driving ransomware operations and the challenges law enforcement faces in tracking and prosecuting cybercriminals.

The Rise and Fall of GandCrab and REvil

GandCrab emerged in January 2018, quickly establishing an affiliate program that rewarded hackers for breaching corporate networks. The group released five major updates to its malware, continuously enhancing its capabilities to evade detection by cybersecurity firms. By May 2019, GandCrab announced its shutdown after reportedly extorting over $2 billion from victims, famously claiming, “We are a living proof that you can do evil and get off scot-free.”

Following GandCrab’s dissolution, the REvil ransomware group surfaced, with UNKN at its helm. Many cybersecurity experts viewed REvil as a rebranding of GandCrab, continuing its legacy of aggressive extortion tactics. UNKN’s announcement on a Russian cybercrime forum, where he deposited $1 million in escrow, signaled a serious commitment to the ransomware business model.

Criminal Ecosystem and Industry Impact

The operations of GandCrab and REvil illustrate the broader criminal ecosystem surrounding ransomware. As detailed in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, ransomware developers increasingly outsourced various tasks, mirroring legitimate business practices. This shift allowed them to focus on enhancing the quality of their malware, resulting in larger payouts from victims.

The emergence of ancillary service providers within the cybercrime landscape has further complicated the fight against ransomware. These providers offer specialized services, such as credential theft and malware deployment, enabling ransomware operators to maximize their efficiency and effectiveness.

Notable Attacks and Law Enforcement Response

REvil gained notoriety for its high-profile attacks, particularly its July 2021 breach of Kaseya, a company managing IT operations for over 1,500 businesses and government agencies. The FBI later revealed that it had infiltrated REvil’s servers before the Kaseya incident, although it could not act on this intelligence at the time. The subsequent release of a free decryption key for REvil victims marked a significant blow to the group’s operations.

Current Status and Investigations

Shchukin, originally from Krasnodar, Russia, is believed to still reside there, according to the BKA. Investigators suspect he may have traveled abroad, complicating efforts to apprehend him. While connections between Shchukin and the various accounts associated with UNKN remain tenuous, his past as a hacker known as “Ger0in” suggests a long-standing involvement in cybercrime.

Recent analyses of images released by the BKA have linked Shchukin to a 2023 birthday celebration, reinforcing the notion that he continues to operate within the cybercriminal underworld.

For further insights into the evolving landscape of ransomware and cybercrime, refer to the original reporting source: krebsonsecurity.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.