German authorities have identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as a key figure behind the REvil ransomware gang and its predecessor, GandCrab.
The identification marks a significant development in the investigation into REvil, known for its aggressive and financially successful operations. Shchukin’s involvement in at least 130 cyberattacks in Germany between 2019 and 2021 underscores the threat posed by organized ransomware groups.
Alongside another suspect, Anatoly Sergeevitsch Kravchuk, Shchukin’s coordinated attacks extorted nearly €2 million while causing over €35 million in economic damage. Authorities cite Shchukin as a primary actor in the evolution of ransomware tactics, particularly the “double extortion” model that demands payment for decryption and threatens data publication.
The GandCrab ransomware gang first emerged in 2018, utilizing an affiliate model to increase profit-sharing among hackers breaching corporate systems. By May 2019, GandCrab claimed to have earned over $2 billion before its shutdown. The REvil gang subsequently appeared, seen as a continuation of GandCrab operations, with Shchukin utilizing the alias “UNKNOWN.”
REvil was known for targeting large organizations with significant revenues and cyber insurance, engaging in what is termed “big-game hunting.” This model allowed REvil to operate more like a business, outsourcing critical tasks and reinvesting profits to enhance its malware capabilities.
The 2021 attack on Kaseya, linked to REvil, disrupted over 1,500 businesses globally. Although an extensive breach, it also led to the decline of REvil’s operations when the FBI accessed the group’s infrastructure and subsequently released a free decryption key.
Shchukin has previously been mentioned in a 2023 U.S. Department of Justice filing concerning cryptocurrency seizures linked to REvil, which included digital wallets with over $317,000 in illicit funds. Despite this identification, authorities stated Shchukin likely remains in Russia, making immediate law enforcement actions challenging.
This development reflects a rare success in attributing ransomware operations, highlighting the ongoing influence of the structural organization pioneered by GandCrab and utilized by REvil. Law enforcement notes that despite the identification of operators, the operational framework continues, underscoring the industrialization and evolution of the ransomware landscape.
