German authorities have named a key figure behind some of the most notorious ransomware operations in recent years, linking a real identity to the REvil ransomware gang and its predecessor, the GandCrab ransomware network.
According to Germany’s Federal Criminal Police (BKA), a 31-year-old Russian national, Daniil Maksimovich Shchukin, has been identified as the individual operating under the alias “UNKN” or “UNKNOWN.” Investigators say he led both ransomware gangs and was directly involved in at least 130 cyberattacks targeting victims in Germany between 2019 and 2021.
The identification marks a significant development in the long-running investigation into the REvil ransomware gang, which at its peak was one of the most aggressive and financially successful cybercrime operations globally.
Inside the REvil Ransomware Gang’s Operations
Authorities allege that Shchukin, along with another suspect, Anatoly Sergeevitsch Kravchuk, carried out coordinated attacks that extorted nearly €2 million, while causing more than €35 million in economic damage.
The REvil ransomware gang and GandCrab ransomware group were among the first to popularize “double extortion”, a tactic that changed the ransomware landscape. Victims were not only asked to pay for decryption keys but also pressured to pay again to prevent stolen data from being published.
This model has since become standard across ransomware gangs, making attacks more damaging and recovery more difficult for victims.
From GandCrab to REvil: Evolution of a Cybercrime Enterprise
The GandCrab ransomware operation first appeared in 2018 and quickly gained traction through an affiliate model. Hackers were offered a share of profits in exchange for breaching corporate systems, while the core operators maintained and improved the malware.
Over time, GandCrab released multiple versions of its ransomware, each designed to evade detection and improve effectiveness. By May 2019, the group claimed to have earned over $2 billion before announcing its shutdown.
Soon after, the REvil ransomware gang emerged. Many cybersecurity experts viewed it as a direct continuation or rebranding of GandCrab. Operating under the same alias “UNKNOWN,” the group expanded its reach and began targeting larger organizations with deeper pockets.
REvil became known for “big-game hunting”—focusing on enterprises with significant revenues and cyber insurance coverage, increasing the likelihood of large payouts.
Industrialization of Ransomware Gangs
What makes the REvil ransomware gang particularly significant is how it operated more like a business than a traditional cybercriminal group.
Ransomware developers outsourced tasks such as gaining initial access, encrypting systems, and laundering payments. Specialized actors—like access brokers and crypto laundering services—formed an entire underground ecosystem supporting these attacks.
This structure allowed ransomware gangs to scale operations quickly, reinvest profits, and continuously improve their tools. As a result, attacks became more targeted, more sophisticated, and more difficult to stop.
High-Profile Attacks and Law Enforcement Response
One of the most notable incidents linked to the REvil ransomware gang was the 2021 attack on Kaseya, which impacted over 1,500 businesses worldwide. The scale of the breach demonstrated how ransomware could disrupt entire supply chains.
However, the same attack also marked the beginning of REvil’s decline. The FBI later revealed it had gained access to the group’s infrastructure before the incident but could not act immediately without compromising its investigation.
Subsequent actions, including the release of a free decryption key, weakened the group’s operations significantly.
Following the Money and Identity Trail
Shchukin’s name had previously surfaced in a 2023 U.S. Department of Justice filing related to cryptocurrency seizures tied to REvil activities. Authorities linked him to digital wallets holding over $317,000 in illicit funds.
Despite the identification, German authorities believe Shchukin remains in Russia, beyond immediate reach. “Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA noted.
What This Means for the Ransomware Landscape
The exposure of a suspected leader behind the REvil ransomware gang is a rare win for law enforcement in a space where attribution is often difficult.
But the broader issue remains. The structure pioneered by GandCrab ransomware and refined by REvil continues to influence modern ransomware gangs. The tools, tactics, and business models are still widely used.
Even as individual operators are identified, the ecosystem they helped build continues to operate.
The takeaway is clear: ransomware is no longer just a technical threat—it is an organized, evolving industry.
