German police unmask two suspects linked to REvil ransomware gang

​​German authorities have identified two suspected figures behind the now-defunct REvil and GandCrab ransomware gangs.

The suspects were named as Daniil Shchukin, a 31-year-old Russian national believed to have used the alias UNKN (UNKNOWN), and Anatoly Kravchuk, a 43-year-old Ukraine-born Russian citizen who investigators say worked as a developer for the group.

In an advisory published last week and first noticed by cybersecurity journalist Brian Krebs, Germany’s Federal Criminal Police Office (BKA) said the two suspects were linked to about two dozen ransomware attacks that generated nearly $2.3 million in extorted payments while causing more than $40 million in economic damage.

German investigators believe both men are currently in Russia. They are wanted internationally on suspicion of multiple ransomware extortion operations targeting businesses, public institutions and other organizations.

Shchukin is alleged to have played a central role in running both the GandCrab and REvil ransomware operations.

Both groups operated under a ransomware-as-a-service (RaaS) model, in which developers created malicious encryption software and rented it to affiliates who carried out attacks in exchange for a share of the profits.

First advertised in early 2018, GandCrab initially spread through spam emails containing malicious attachments. The operation later evolved into REvil, also known as Sodinokibi, which targeted larger organizations and demanded significantly higher ransom payments.

REvil quickly became one of the most aggressive ransomware groups globally before being dismantled in 2021. Its victims included high-profile targets such as Lady Gaga’s law firm, U.S. President Donald Trump, as well as major companies including U.S. software provider Kaseya.

The gang’s tactics involved encrypting victims’ systems while simultaneously stealing large volumes of data, which attackers threatened to leak online if ransom demands were not met.

Shchukin previously spoke about his rise in cybercrime during an interview published by Recorded Future News.

“As a child, I scrounged through trash heaps and smoked cigarette butts… I didn’t eat for two or even three days,” he said in the interview. “Now I am a millionaire.”

Despite years of international law enforcement efforts, many suspected members of the REvil network remain beyond the reach of Western authorities.

In 2022, Russia’s Federal Security Service (FSB) announced the arrest of 14 alleged REvil members, but legal proceedings in the case have progressed slowly. Only eight suspects have appeared in court in Moscow, facing charges related to illegal financial transactions, while hearings have been repeatedly postponed.

The announcement by German investigators comes amid broader efforts by European authorities to identify ransomware operators linked to Russian cybercrime networks.

Earlier this year, German law enforcement officials also identified two Ukrainian suspects linked to the Russia-associated ransomware group Black Basta and placed the group’s alleged Russian leader on an international wanted list.