In a significant breakthrough for international cybercrime investigations, Germany's Federal Police (Bundeskriminalamt or BKA) has publicly identified two Russian nationals as the masterminds behind the notorious GandCrab and REvil ransomware operations. The individuals, 31-year-old Daniil Maksimovich Shchukin and 43-year-old Anatoly Sergeevitsch Kravchuk, are alleged to have led these criminal syndicates from at least the beginning of 2019 until at least July 2021. This identification marks a critical step in attributing high-profile cyberattacks to specific actors, moving beyond mere hacker aliases to real-world identities. Shchukin, who operated for years under the monikers "UNKN" or "UNKNOWN," was a visible figure on cybercrime forums, often speaking as a public representative for the ransomware operation's affiliate program.
The operational and financial impact of their activities on German soil has been severe. According to the BKA's disclosure, the duo participated in at least 130 extortion cases targeting German companies. From these attacks, at least 25 victims succumbed to the pressure, paying a total of approximately $2.2 million in ransom. However, the total financial damage inflicted—factoring in downtime, recovery costs, and data loss—is estimated to exceed a staggering $40 million. This case underscores the devastating economic toll ransomware can exact on national economies and highlights Germany's focused efforts to combat cyber-enabled extortion targeting its critical business sector.
The ransomware ecosystem in which these actors operated has a clear evolutionary lineage. The GandCrab ransomware first emerged in early 2018, pioneering a highly successful Ransomware-as-a-Service (RaaS) affiliate model. In a surprising move, its original leader announced retirement in June 2019, claiming to have earned $2 billion from ransom payments, though later clarifying the actual personal cash-out was around $150 million, purportedly invested into legal businesses. This retirement created a vacuum and an opportunity, leading directly to the rise of REvil (also known as Sodinokibi). REvil adopted and scaled the same affiliate model, becoming one of the most prolific and damaging ransomware groups until its reported disruption in late 2021.
This law enforcement action by German authorities is part of a broader, coordinated international effort to dismantle ransomware networks. While the identification is a major success, the challenges of prosecution remain formidable, given the suspects' location in Russia. Nevertheless, such public attributions serve crucial functions: they disrupt criminal operations by exposing key figures, aid in freezing financial assets, and provide a deterrent by demonstrating that anonymity in cyberspace is increasingly fragile. The announcement also serves as a stark reminder to organizations globally about the persistent and highly organized threat posed by ransomware cartels, emphasizing the continuous need for robust cybersecurity defenses, offline backups, and comprehensive incident response planning.
