Russian leaders of GandCrab and REvil reveal the dark side of global ransomware

The Federal Criminal Investigation Office of Germany (BKA) has identified two Russian citizens as the alleged leaders behind some of the most sound Ransomware operations between 2019 and 2021. According to the fact sheets published by the institution itself, these are Daniil Maksimovich Shchukin 31 years; and Anatoly Sergeevitsch Kravchuk 43. BKA research places its activity at the forefront of the GandCrab and REvil malware families from at least early 2019 to July 2021.

The background of these bands helps to understand why international attention focused on them. GandCrab broke in 2018 and, after months of extortion and an affiliate-based operating model, his alleged head announced a "retirement" in 2019. That end of the cycle was not inoculated: in its withdrawal it boasted of millions of profits, and shortly after it emerged REvil (also known as Sodinokibi), formed by former affiliates and operators who inherited tactics and commercial structures.

The business model of these groups was simple and effective: recruiting members, offering an infrastructure and charging a commission on each rescue. With time, REvil expanded its tactics to pressure the victims: in addition to the encryption of systems, they published data on filtering sites and organized stolen information auctions, a practice designed to force payments even when the encryption could be reversed.

The consequences in Germany, according to the BKA, were particularly serious: the researchers attribute to Shchukin and Kravchuk the participation in at least 130 cases of extortion directed at local companies. Of these, at least 25 victims made payments amounting to about $2.2 million, while the total damage from their campaigns is estimated at over $40 million. The global magnitude of REvil, however, is better appreciated by recalling international incidents such as attacks on local governments in Texas, the intrusion against Acer or, above all, the massive incident against the Kaseya VSA management platform, which produced a domino effect in about 1,500 client organizations.

The sequence between GandCrab and REvil also shows how a cybermafia can evolve: GandCrab closed its stage with the promise of a withdrawal after a supposed millionaire loot, and REvil took advantage of the experience of its affiliates to professionalize the criminal offer and become one of the most lucrative and visible operations of the decade. To contextualize the gravity of the campaign against Kaseya and its impact on the supply chain, there are technical reports and notices from agencies such as the CISA while the journalistic detail of the movements and statements of the groups has been followed in specialized media such as BleepingComputer.

After the most intense activity of REvil in 2021 and the impact of operations such as Kaseya, law enforcement forces began to interfere with their infrastructure. At some times there were interruptions of servers and actions coordinated by different countries, and in January 2022 there were arrests in Russia that affected several suspects linked to the network; however, there are reports that indicate subsequent releases after serving sentences for different crimes, such as carding.

The BKA points out that both of them are probably currently in Russian territory and has asked for citizen collaboration to gather clues about their whereabouts. To this end, the German police have made public photographs and identifying details, including tattoos, with the intention of facilitating their location. In addition, tickets to the most sought-after European portal have been created to increase the international visibility of the search, for example in the EU Most Wanted site.

Beyond pursuing specific individuals, this case brings back to the fore two uncomfortable realities: the professionalization of cybercrime and the difficulty of legally taking responsibility for its perpetrators when they operate from countries that, for different reasons, do not fully cooperate with international research. As police agencies exchange data and call for the collaboration of citizens, companies and administrations continue to face the need to invest in preventive measures and response plans that reduce the reliance on paying bailouts.

The lesson It is two-fold: on the one hand, persecution and international cooperation can identify alleged perpetrators and affect their operations; on the other, the very architecture of computer crime - affiliates, service markets and the exit of funds through opaque channels - makes the risk persist even when specific leaders are exposed. For those who manage security in organizations, the message is clear: strengthening copies, segmenting networks and preparing contingency plans is no longer a good practice to become the first line of defence against increasingly sophisticated operations.