Germany Identifies REvil, GandCrab Ransomware Leader 'UNKN'
German authorities name 31-year-old Russian Daniil Maksimovich Shchukin as 'UNKN,' the operator behind REvil and GandCrab ransomware groups linked to 130+ extortion attacks.
Executive Summary
German authorities have publicly identified the elusive hacker known as "UNKN" — the alleged leader of the Russian ransomware gangs REvil and GandCrab — as 31-year-old Russian national Daniil Maksimovich Shchukin, according to a report from Krebs on Security. German law enforcement officials stated that Shchukin headed both cybercrime operations and was responsible for at least 130 acts of computer sabotage and extortion against victims across Germany between 2019 and 2021.
Technical Analysis
The identification of Shchukin marks a significant breakthrough in attributing leadership of two of the most prolific ransomware families of the late 2010s and early 2020s. GandCrab, which operated from 2018 to 2019, pioneered the ransomware-as-a-service (RaaS) model and extorted victims through a network of affiliates. REvil (also known as Sodinokibi) succeeded GandCrab and became one of the most disruptive ransomware operations, targeting high-profile organizations including meat processor JBS and IT management firm Kaseya.
German authorities did not disclose the specific investigative methods that led to Shchukin's identification, but the doxxing of a figure who maintained operational security for years suggests either a law enforcement infiltration of the group's communications infrastructure or a forensic breakthrough in tracing cryptocurrency payments. The 130 incidents attributed to Shchukin's operations in Germany alone indicate a broad and sustained campaign against German businesses and institutions.
Mitigations & Recommendations
Organizations should review their historical incident logs for ransomware attacks between 2019 and 2021 that match GandCrab or REvil indicators of compromise, particularly if they operated in Germany. While the identification of a leader does not necessarily disrupt current operations — REvil's infrastructure was dismantled in 2022 following international law enforcement action — defenders should monitor for copycat groups or splinter cells that may attempt to re-establish similar RaaS operations. Maintaining offline backups, implementing network segmentation, and ensuring robust endpoint detection and response (EDR) coverage remain the primary defenses against ransomware extortion.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
