German authorities identify REvil and GangCrab ransomware bosses

Source: Bleeping Computer

Arrests and Identifications

The Federal Police in Germany (BKA) identified two Russian nationals as the leaders of the GandCrab and REvil ransomware operations from at least the beginning of 2019 until July 2021.

• Daniil Maksimovich Shchukin, 31 years old – BKA profile
• Anatoly Sergeevitsch Kravchuk, 43 years old – BKA profile

Shchukin operated under the moniker UNKN/UNKNOWN, posting on cyber‑crime forums and speaking as a representative of the ransomware operation.

German authorities say the two participated in at least 130 extortion cases targeting companies in Germany. At least 25 victims paid a total of $2.2 million in ransom, while the overall financial damage is estimated at over $40 million.

GandCrab Background

• GandCrab began in early 2018 – see the original report on its distribution via exploit kits.
• Its leader announced retirement in June 2019 after claiming $2 billion in ransom payments, though only $150 million was reportedly cashed out and invested in legitimate businesses.

GandCrab leader announces retirement
source: BleepingComputer

REvil Background

After GandCrab’s shutdown, a new operation called REvil (also known as Sodinokibi) emerged, adopting the affiliate model pioneered by GandCrab. Former GandCrab affiliates and operators built on the same tactics and expanded the operation.

Key developments:

• REvil added public leak sites and ran data auctions to pressure victims.
• Notable victims included multiple Texas local governments, Acer, and the Kaseya supply‑chain attack that affected around 1,500 downstream businesses.

Following the massive Kaseya hack, REvil paused for two months. During this time, law enforcement breached their servers and began monitoring their activities. Several infrastructure disruptions were recorded, and in mid‑January 2022, Russian authorities arrested more than a dozen REvil members. Those individuals were released in 2025 after serving time on unrelated carding charges.

Current Status

It is unclear whether Shchukin or Kravchuk joined other ransomware operations after REvil’s apparent demise in 2021. BKA believes both are currently in Russia and asks the public to share any information that could lead to their whereabouts. Relevant entries are also listed on the EU’s Most Wanted portal.

The police have released several images, including tattoo photos, to aid in tracking down the two threat actors.