Germany Doxes UNKN: Identity of REvil and GandCrab Leader Revealed

The unmasking of Daniil Maksimovich Shchukin, known in the underground as “UNKN,” represents a significant development in the attribution of Russian-based cybercrime. Shchukin is allegedly the primary architect behind the GandCrab and REvil operations, two of the most prolific Ransomware strains in history. According to Krebs on Security, German authorities have linked Shchukin to over 130 specific incidents of extortion and system sabotage between 2019 and 2021.

REvil Ransomware-as-a-Service Model Analysis

The success of UNKN’s operations relied heavily on the Ransomware-as-a-Service (RaaS) business model. This organizational structure allowed the core developers—led by Shchukin—to focus on maintaining the malware code and C2 infrastructure while outsourcing the actual intrusions to various affiliates. Our REvil Ransomware-as-a-Service model analysis indicates that this separation of duties enabled rapid scaling and high-volume targeting, moving the risk of initial breach from the developers to the affiliates.

Affiliates utilized various TTP sets to gain initial access, ranging from Phishing to exploiting vulnerabilities in RCE-susceptible software. Once inside, they typically performed Lateral Movement and attempted Privilege Escalation to compromise domain controllers and encrypt entire networks. The efficiency of this model forced many organizations to prioritize EDR and SIEM logging to detect early-stage reconnaissance and prevent total encryption events.

Historical Impact of GandCrab and REvil

Before the emergence of REvil, GandCrab dominated the threat landscape, accounting for nearly 50% of all ransomware infections at its peak in 2018 and 2019. When the GandCrab team announced their “retirement,” the codebase evolved into REvil (also known as Sodinokibi). This transition demonstrated a move toward big-game hunting, where the group targeted larger organizations for multi-million dollar payouts.

The group became notorious for conducting a Supply Chain Attack against Kaseya, which impacted thousands of downstream customers. This operation utilized a Zero-Day vulnerability, showcasing a level of technical sophistication often reserved for an APT. Security teams focused on detecting REvil ransomware activity during this period often looked for specific file extensions and ransom note filenames that the group consistently used in their payloads.

German Law Enforcement Investigation

The attribution to Shchukin resulted from a multi-year investigation by the State Office of Criminal Investigation (LKA) in Baden-Württemberg. Investigators tracked financial flows and communication logs that eventually led to Shchukin’s real-world identity. Despite the doxing, Shchukin remains at large, likely protected by his residence in Russia, which does not extradite its citizens for cybercrimes committed abroad. This highlights the ongoing challenge for a SOC in defending against actors who operate with relative impunity from safe-haven jurisdictions.

Mitigating Risks from Prolific Ransomware Operations

While the original GandCrab and REvil infrastructures have been largely dismantled, the techniques they pioneered continue to be used by successor groups. Implementing GandCrab ransomware mitigation steps today still provides defense-in-depth against modern RaaS variants that follow a similar playbook.

• Enforce Zero Trust principles: Limit internal access to only the necessary resources to prevent rapid spread of malware and contain breaches at the segment level. This aligns with Zero Trust architectures that assume the network is already compromised.
• Enhance visibility: Use IoC feeds to monitor for known bad IP addresses and file hashes associated with high-profile ransomware operators and their command infrastructure.
• Audit credentials: Use multi-factor authentication (MFA) to prevent unauthorized access via stolen credentials, a common entry point for ransomware affiliates seeking initial access.
• Framework alignment: Map internal security controls to the MITRE ATT&CK framework to ensure coverage across the entire attack lifecycle, from initial access to data exfiltration.

Organizations must realize that even if the head of a gang is named, the specialized labor force of affiliates and developers often migrates to new “brands.” Understanding the organizational structure and history of individuals like UNKN is essential for contextualizing the current threat environment and anticipating the evolution of CVE exploitation in future campaigns.