In a significant blow to the infrastructure of global cybercrime, German authorities have unmasked the individuals behind two of the most prolific ransomware operations in history. The Federal Criminal Police Office, known as the BKA (Bundeskriminalamt), has identified two Russian nationals as the leaders of the GandCrab and REvil ransomware campaigns, ending years of anonymity for the figures who orchestrated thousands of attacks worldwide.
The investigation reveals a sophisticated transition of power and tactics within the cyber-underworld. According to the BKA, 31-year-old Daniil Maksimovich Shchukin and 43-year-old Anatoly Sergeevitsch Kravchuk operated as the heads of these groups from at least the beginning of 2019 until July 2021. Their operation didn’t just target random users; it was a calculated business model that targeted high-value corporate entities and government institutions, causing systemic financial and operational disruption.
For years, the mastermind of these operations hid behind the digital curtain. Shchukin, a resident of Krasnodarskiy, Russia, was known in the depths of cybercrime forums by the monikers UNKN and UNKNOWN. He acted as the public face and representative of the ransomware groups, advertising their services and managing the logistics of extortion. Meanwhile, Kravchuk, a Russian national born in the Ukrainian city of Makiivka, is alleged to have served as the primary developer for REvil, providing the technical weaponry used to lock down thousands of servers.
The identification of these individuals marks a critical milestone in the effort to dismantle Ransomware-as-a-Service (RaaS) networks. By linking real-world identities to online aliases, law enforcement has moved from treating these attacks as anonymous glitches to treating them as targeted crimes committed by specific, identifiable actors.
The Evolution from GandCrab to REvil
The trajectory of these two groups illustrates the professionalization of cybercrime. GandCrab first emerged in early 2018, quickly becoming a dominant force in the ransomware landscape. The original leader of GandCrab famously announced their retirement in June 2019, claiming to have earned $2 billion from ransom payments, though they ultimately cashed out with $150 million to invest in legal businesses according to reports on the BKA disclosure.
Following this retirement, REvil—also known as Sodinokibi, Water Mare, and Gold Southfield—emerged. REvil was not a separate entity so much as an evolution. It was formed by former GandCrab affiliates and operators who applied the successful tactics they had already mastered. This transition allowed the group to refine the affiliate model, where the developers of the ransomware provide the software to “affiliates” who carry out the actual attacks in exchange for a percentage of the ransom payment.
REvil escalated the pressure on its victims by introducing public leak sites and conducting data auctions. This “double extortion” tactic meant that victims were not only paying to decrypt their files but were also paying to prevent their sensitive corporate data from being sold to the highest bidder on the dark web. This shift significantly increased the success rate of their extortion attempts.
The Scale of Damage and Global Impact
While REvil’s reach was global, the BKA’s investigation focused heavily on the devastation wrought within Germany. The authorities suspect Shchukin and Kravchuk of carrying out at least 130 ransomware attacks specifically targeting German companies. The financial toll was staggering: the total financial damage caused by these incidents is estimated to exceed €35.4 million (approximately $40.8 million) as detailed by the BKA.
Of those 130 cases, at least 25 victims succumbed to the pressure and paid ransom payments totaling €1.9 million ($2.19 million). These figures highlight a grim reality for many businesses: the cost of recovery often exceeds the cost of the ransom, but the threat of data leaks often forces a payment.
Beyond Germany, the REvil operation was responsible for some of the most high-profile cyberattacks of the last five years. Notable victims included the computer giant Acer and multiple local governments in Texas. Perhaps most damaging was the Kaseya supply-chain attack, which leveraged a vulnerability in Kaseya’s software to impact approximately 1,500 downstream victims in a single stroke per BKA findings. The group also targeted major global entities such as JBS, the world’s largest meat processing company.
Understanding the RaaS Business Model
To understand how Shchukin and Kravchuk managed such a vast operation, one must understand the Ransomware-as-a-Service (RaaS) model. Unlike traditional hacking, where one person or group handles everything from entry to extortion, RaaS functions like a software franchise.
- The Operators (The “Bosses”): Individuals like Shchukin and Kravchuk develop the ransomware code, maintain the payment infrastructure, and manage the leak sites.
- The Affiliates (The “Workers”): These are independent cybercriminals who buy or rent access to the ransomware. They do the “dirty work” of infiltrating a company’s network, deploying the malware, and communicating with the victim.
- The Revenue Split: When a victim pays, the affiliate takes a large cut (often 70-80%), and the operators take a smaller percentage as a “platform fee.”
This model allowed REvil to scale with terrifying speed. By outsourcing the actual attacks to a global network of affiliates, the core leaders could remain insulated from the direct evidence of the crimes while continuing to profit from every single successful extortion.
Key Takeaways from the BKA Investigation
| Metric | Verified Detail |
|---|---|
| Identified Leaders | Daniil Maksimovich Shchukin & Anatoly Sergeevitsch Kravchuk |
| Number of German Attacks | 130 cases |
| Total Financial Damage | >€35.4 million ($40.8 million) |
| Total Ransoms Paid | €1.9 million ($2.19 million) from 25 victims |
| Active Period | Early 2019 to July 2021 |
The Aftermath and the Path Forward
The REvil group mysteriously went offline in mid-July 2021, only to resurface a few months later, suggesting a pattern of strategic retreats to evade law enforcement. However, the BKA’s ability to link Shchukin and Kravchuk to these operations removes the shield of anonymity that these actors relied upon for years. Shchukin, who used multiple aliases including Oneiilk2, Oneillk2, and Oneillk22, is now a wanted person on official law enforcement lists.
For the global business community, this case serves as a stark reminder of the persistence of RaaS threats. The transition from GandCrab to REvil shows that when one operation is disrupted, the knowledge and infrastructure are often absorbed into a new, more dangerous entity. The use of supply-chain attacks, as seen with Kaseya, demonstrates that no single company’s security is sufficient if their vendors are compromised.
As German authorities continue their pursuit of Shchukin and Kravchuk, the focus for organizations remains on resilience. Security experts recommend a “zero trust” architecture, robust offline backups, and a comprehensive incident response plan to mitigate the impact of ransomware, as paying the ransom provides no guarantee that data will be returned or that the attackers will not return.
The identification of these leaders is not the end of the story, but the beginning of a legal pursuit. Both individuals remain on the wanted list, and the BKA continues to coordinate with international partners to bring them to justice.
We will continue to monitor this story for updates on potential arrests or further disclosures from the BKA. Do you have experience with ransomware recovery or thoughts on the RaaS model? Share your insights in the comments below.