Full Report
The Federal Police in Germany (BKA) has identified two Russian nationals as the leaders of GandCrab and REvil ransomware operations between 2019 and 2021. [...]
Analysis Summary
# Threat Actor: REvil / GandCrab (Leaders: Shchukin & Kravchuk)
## Attribution & Identity
* **Identified Individuals:**
* **Daniil Maksimovich Shchukin** (31 years old). Known online as **UNKN** or **UNKNOWN**. He acted as the public representative/spokesperson on cybercrime forums.
* **Anatoly Sergeevitsch Kravchuk** (43 years old). Identified as a primary leader/operator.
* **Nationality:** Russian.
* **Associated Groups:**
* **GandCrab:** Active 2018–2019.
* **REvil (Sodinokibi):** Active 2019–2021; successor to GandCrab, formed by previous operators and affiliates.
* **Legal Status:** Wanted by the German Federal Police (BKA); listed on the EU’s Most Wanted portal.
## Activity Summary
The identified actors led ransomware operations from at least early 2019 until July 2021. Their activities represent a evolution from GandCrab to REvil, refining the **Ransomware-as-a-Service (RaaS)** affiliate model. Significant milestones include the "retirement" of GandCrab in June 2019 and the subsequent launch of REvil. In Germany alone, the actors are linked to at least 130 extortion cases. Global operations culminated in massive supply-chain attacks (Kaseya) before law enforcement disruptions and server seizures led to the group's initial demise in late 2021.
## Tactics, Techniques & Procedures
* **Ransomware-as-a-Service (RaaS):** Built a partnership model with affiliates to distribute malware in exchange for a percentage of the ransom.
* **Double Extortion:** Introduced public leak sites to publish stolen data if victims refused to pay.
* **Data Auctions:** Conducted eBay-like auctions for stolen corporate data to maximize pressure on victims.
* **Exploit Kits:** Initial GandCrab distribution via web-based exploit kits.
* **Supply-Chain Attacks:** Compromising managed service providers (MSPs) or software tools to impact thousands of downstream victims simultaneously.
* **Forum Recruitment:** Active engagement in underground cybercrime forums for marketing and support.
## Targeting
* **Sectors:** Technology, Local Government, Managed Service Providers (MSPs), and various private enterprises.
* **Geography:** Global reach, with a specific focus in this report on **Germany**. Also targeted victims in the **United States** (Texas).
* **Victims:**
* Acer (Computer giant)
* Kaseya (Supply-chain attack affecting ~1,500 businesses)
* Texas local governments
* At least 130 German companies.
## Tools & Infrastructure
* **Malware Families:**
* GandCrab
* REvil / Sodinokibi
* **Infrastructure:**
* Tor-based leak sites and negotiation portals.
* C2 servers (noted as breached by law enforcement in 2021).
* Forum handles: `UNKN`, `UNKNOWN`.
* Affiliate portals for tracking infections and payments.
## Implications
The identification of Shchukin and Kravchuk highlights the persistence of RaaS leadership, even as brand names change (GandCrab to REvil). The financial success of these actors—with GandCrab claiming $2 billion in total earnings—demonstrates the massive scale of the ransomware economy. While law enforcement has successfully identified these individuals, their presence in Russia complicates extradition, suggesting they may continue to influence the threat landscape under different monikers or groups.
## Mitigations
* **Supply Chain Security:** Rigorous auditing of downstream software (like Kaseya) and limiting administrative privileges for third-party management tools.
* **Offline Backups:** Maintain encrypted, offline backups to negate the impact of data encryption.
* **Data Loss Prevention (DLP):** Implement tools to detect and block the exfiltration of sensitive data to leak sites.
* **Patch Management:** Promptly patch vulnerabilities targeted by exploit kits and common RDP/VPN entry points.
* **Law Enforcement Collaboration:** Report incidents to authorities like the BKA or FBI to provide data that assists in the global tracking and identification of RaaS operators.