Full Report
The Federal Police in Germany (BKA) has identified two Russian nationals as the leaders of GandCrab and REvil ransomware operations between 2019 and 2021. [...]
Analysis Summary
# Threat Actor: REvil / GandCrab (Leaders: Shchukin & Kravchuk)
## Attribution & Identity
* **Identified Individuals:**
* **Daniil Maksimovich Shchukin** (31 years old), Russian national. Known by the alias **UNKN** or **UNKNOWN**. Acted as the public representative and primary forum spokesperson.
* **Anatoly Sergeevitsch Kravchuk** (43 years old), Russian national.
* **Associated Groups:**
* **GandCrab:** Active from early 2018 to June 2019.
* **REvil (Sodinokibi):** Formed in mid-2019 by former GandCrab operators and affiliates; active until late 2021.
* **Known Associations:** Linked to approximately 130 extortion cases in Germany and the 2021 Kaseya supply-chain attack.
## Activity Summary
Between 2019 and July 2021, Shchukin and Kravchuk led two of the most prolific Ransomware-as-a-Service (RaaS) operations. Under their leadership, REvil transitioned from GandCrab's affiliate model to more aggressive "double extortion" tactics, including the use of leak sites and data auctions. Notable recent operations included the 2021 Kaseya attack affecting 1,500 businesses and high-profile attacks on global corporations like Acer. Despite Russian arrests of lower-level members in 2022, the BKA identifies these two as the primary architects.
## Tactics, Techniques & Procedures
* **Ransomware-as-a-Service (RaaS):** Built extensive networks of affiliates who carried out the intrusions while the leaders maintained the core malware and payment infrastructure.
* **Double Extortion:** Exfiltrating sensitive data prior to encryption and threatening its release on public leak sites to compel payment.
* **Data Auctions:** Hosting "eBay-like" auctions on the dark web to sell stolen corporate data to the highest bidder.
* **Supply Chain Attacks:** Exploiting management software (e.g., Kaseya) to encrypt thousands of downstream victims simultaneously.
* **Exploit Kits:** Use of automated kits for initial delivery and distribution.
* **Forum Recruitment:** Active engagement on Russian-speaking cybercrime forums for affiliate recruitment and brand management.
## Targeting
* **Sectors:** Technology, Managed Service Providers (MSPs), Public Sector (Local Governments), and general Corporate sectors.
* **Geography:** Global reach, with a documented focus on Germany (130+ cases), USA (Texas local governments), and Taiwan.
* **Victims:**
* Kaseya (and 1,500 downstream clients)
* Acer (Computer hardware)
* Multiple Texas local governments
* At least 130 companies in Germany
## Tools & Infrastructure
* **Malware Families:**
* GandCrab
* REvil / Sodinokibi
* **Infrastructure:**
* **Leak Sites:** TOR-based "Happy Blog" for publishing stolen data.
* **Payment Portals:** TOR-based negotiation and payment platforms.
* **C2:** Historically utilized TOR-hijacked servers (eventually breached by law enforcement in 2021).
## Implications
The identification of Shchukin and Kravchuk highlights the continuity between "retired" legacy groups (GandCrab) and new, more aggressive threats (REvil). Despite the dissolution of REvil in 2021, the leaders' estimated earnings (hundreds of millions of dollars) and their current presence in Russia suggest they possess the capital and immunity to potentially bootstrap new operations or serve as advisers to emerging RaaS brands.
## Mitigations
* **Supply Chain Security:** Implement strict access controls and monitoring for RMM (Remote Monitoring and Management) tools and third-party software updates.
* **Offline Backups:** Maintain immutable, off-site backups to recover from encryption without paying ransoms.
* **Exfiltration Monitoring:** Deploy EDR and DLP solutions to detect large-scale data transfers to unknown IP addresses/cloud storage.
* **Vulnerability Management:** Prioritize patching of internet-facing applications and VPNs, which are common entry points for RaaS affiliates.
* **Incident Response:** Develop playbooks specifically for "Double Extortion" scenarios where data is stolen, not just encrypted.