German Authorities Identify GandCrab and REvil Ransomware Leaders

Overview of the REvil and GandCrab Attribution

According to BleepingComputer, the German Federal Criminal Police (BKA) and the US Department of Justice (DOJ) have successfully identified Russian nationals allegedly responsible for leading the GandCrab and REvil Ransomware operations. One of the primary suspects, Nikolay Nikolayevich Chernov (known by the alias “ReshaEVIL”), is accused of acting as a core administrator and developer for both groups. This identification is the result of years of international law enforcement cooperation, tracking the movement of digital assets and communication logs from the peak of these groups’ activities between 2019 and 2021.

Impact of Identifying REvil Ransomware Leaders

The identification of these individuals provides significant insight into the Ransomware-as-a-Service (RaaS) model. GandCrab, which debuted in early 2018, was one of the most prolific ransomware operations of its time until it claimed to retire in May 2019. Shortly thereafter, REvil (also known as Sodinokibi) emerged, utilizing similar codebases and TTP. Security researchers have long suspected a direct link between the two, and these recent attribution findings confirm the personnel overlap at the leadership level.

For defenders, the primary value in identifying REvil ransomware leaders lies in the historical analysis of their infrastructure and methodology. By understanding who directed these operations, SOC teams can better correlate historical IoC and C2 patterns to modern spin-off groups. Many former affiliates of these gangs have migrated to other operations, such as LockBit or BlackCat, bringing their preferred methods of Lateral Movement and data exfiltration with them.

Technical Analysis of Operational Evolution

GandCrab and REvil specialized in high-volume, high-impact attacks. They often gained initial access via Phishing or by exploiting vulnerabilities in internet-facing services. Once inside a network, they would attempt Privilege Escalation to gain domain administrator rights before deploying the encryptor.

Historical GandCrab Ransomware Attribution Findings

Investigation into the “ReshaEVIL” alias revealed a connection to the development of the GandCrab affiliate panel. This panel allowed low-level attackers to manage their own campaigns, track victims, and negotiate ransoms, while the core developers took a percentage of the profits. This decentralized model made the groups resilient to targeted law enforcement actions against individual affiliates for several years.

The transition from GandCrab to REvil marked an evolution in extortion tactics. While GandCrab focused largely on volume, REvil pioneered the “double extortion” method. This involves not only encrypting the victim’s data but also stealing sensitive information and threatening to leak it on a dedicated “shame site” if the ransom is not paid. This TTP has since become the standard for most modern ransomware groups.

Mitigation and Defensive Recommendations

While GandCrab and REvil are no longer active in their original forms, their successors continue to use similar techniques. Implementing REvil ransomware mitigation steps remains vital for modern enterprise security to defend against the RaaS ecosystem.

• Multi-Factor Authentication (MFA): Ensure all remote access points, including VPNs and RDP, require MFA to prevent unauthorized access via stolen credentials.
• Offline Backups: Maintain immutable, off-site backups of critical data to ensure recovery without paying a ransom in the event of an encryption event.
• Network Segmentation: Limit the ability of attackers to perform lateral movement by segmenting sensitive assets from general user environments and monitoring inter-zone traffic.
• Vulnerability Management: Regularly patch internet-facing software to prevent RCE exploits that often serve as the initial entry point for ransomware groups.

Security professionals should use the MITRE ATT&CK framework to map out common ransomware behaviors. By focusing on the detection of credential dumping and unauthorized data staging, organizations can interrupt the kill chain before encryption occurs.