Full Report
Brian Krebs reports: An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between... Source
Analysis Summary
# Threat Actor: UNKN (Daniil Maksimovich Shchukin)
## Attribution & Identity
* **Real Name:** Daniil Maksimovich Shchukin
* **Age:** 31 (as of April 2026)
* **Nationality:** Russian
* **Aliases:** UNKN, UNKNOWN
* **Key Associates:** Anatoly Sergeevitsch Kravchuk (43-year-old Russian national)
* **Associated Groups:** GandCrab, REvil (Sodinokibi)
* **Attributing Agency:** German Federal Criminal Police (Bundeskriminalamt - BKA)
## Activity Summary
Shchukin is identified by German authorities as the head of the **GandCrab** and **REvil** ransomware-as-a-service (RaaS) operations. Between 2019 and 2021, he is alleged to have orchestrated at least 130 acts of computer sabotage and extortion. His operations involve high-stakes "Big Game Hunting," where the actor or his affiliates breach corporate networks, encrypt data, and demand significant ransoms for decryption keys and the non-disclosure of stolen data.
## Tactics, Techniques & Procedures
* **Ransomware-as-a-Service (RaaS):** Managed the core development and administrative infrastructure for GandCrab and REvil, recruiting affiliates to carry out infections.
* **Exfiltration-over-Extortion:** Engaging in "double extortion" by stealing sensitive data before encryption to increase leverage (T1659).
* **Computer Sabotage:** Targeted disruption of systems to force business shutdowns.
* **Financial Extortion:** Use of cryptocurrency to process illicit payments and launder funds.
* **Data Sabotage:** Systemic encryption of files to prevent access (T1486).
## Targeting
* **Sectors:** General corporate victims, with a emphasis on organizations capable of paying high ransom demands.
* **Geography:** Primarily Germany (based on the BKA advisory), but both groups were known for global operations, excluding Commonwealth of Independent States (CIS) countries.
* **Victims:** At least 130 documented cases in Germany; total economic damage estimated at over 35 million euros for the German cases alone.
## Tools & Infrastructure
* **Malware Families:**
* **GandCrab:** One of the most prolific early RaaS families (retired in 2019).
* **REvil (Sodinokibi):** The successor to GandCrab, known for its sophistication and high ransom demands.
* **Infrastructure:** Command-and-Control (C2) servers used to manage ransom negotiations and distribute decryption keys.
## Implications
The doxing and naming of Shchukin by the BKA represents a significant law enforcement milestone against the RaaS ecosystem. It signals that even high-level administrators of elite Russian cybercrime "cartels" are no longer anonymous. While Shchukin remains in Russia (and likely out of reach of German extradition), the public attribution hampers his ability to travel and complicates the movement of illicitly gained assets. It also provides threat intelligence teams with a clearer lineage of the evolution from GandCrab to REvil.
## Mitigations
* **Offline Backups:** Maintain immutable, offline backups to ensure recovery without paying randsoms.
* **Vulnerability Management:** Prioritize patching of internet-facing applications (VPNs, RDP) which are common entry points for RaaS affiliates.
* **Endpoint Detection and Response (EDR):** Deploy EDR tools to monitor for the behavior-based indicators typical of REvil deployments, such as shadow copy deletion.
* **Network Segmentation:** Restrict lateral movement to prevent threat actors from reaching critical data repositories once they have gained initial access.