The BKA identifies Daniil Shchukin and Anatoly Kravchuk, heads of GandCrab and REvil

German researchers have named and faced two men who are at the forefront of two of the most disturbing ransomware campaigns in recent years. According to the Federal Criminal Investigation Office of Germany (BKA), the alleged leaders are Daniil Maksimovich Shchukin 31 years; and Anatoly Sergeevitsch Kravchuk 43. The institution claims that both led, between early 2019 and at least July 2021, operations behind the names GandCrab and REvil, two Ransomware families that marked a time for their scope and their criminal business model.

The gravity of the case is measured by both the number of attacks and the economic damage. The BKA assigns to these individuals participation in at least 130 extortion directed at companies within Germany; at least 25 victims would have paid them bailouts for a total of about $2.2 million, while the overall economic damage caused by their actions is estimated to be over $40 million, according to the figures offered by the authorities.

To understand why these groups were so effective it is important to go back to the origins. GandCrab appeared in early 2018 and, after a few years of activity, its main operator announced its withdrawal in 2019 on the grounds that it had obtained huge revenues during its trajectory. GandCrab's strategy - and the lesson he left to organized crime online - was to refine the affiliate model: a central developer who provides the code and infrastructure, and a network of affiliates who infiltrate networks and execute the attacks. On that basis, Revil (also known as Sodinokibi) was born, largely made up of former GandCrab affiliates who moved tactics and contacts.

Revil climbed the extortion by adding public pressure tactics that ended up making it a global threat. In addition to file encryption, the group managed public sites where it leaked stolen data and even auctioned sensitive information to force victims to pay. Among its objectives were local governments in Texas, large corporations such as Acer and a supply chain attack on Kaseya that affected about 1,500 client organizations of intermediate suppliers, an incident that revealed the fragility of highly interconnected business ecosystems. The consequences of this wave of attacks were reflected in multiple security warnings and analyses, including those published by agencies such as CISA and by means specialized in cybersecurity ( Joint notice on Sodinokibi / REvil and detailed coverage of the Kaseya incident in Krebs on Security).

The popularity of REvil resulted in a forced pause following the great attack on Kaseya: operations stopped and, during that period, different police forces gained access to infrastructure and monitored the activity. Since then, investigations and arrests have taken place in several countries, including a round of arrests in Russia and coordinated movements of international authorities. This police pressure showed that the criminal network had vulnerable points, but also highlighted the limits of international judicial cooperation when the alleged perpetrators reside in jurisdictions difficult to address from abroad ( international coordination operations and journalistic follow-up on raids).

In its statement, BKA states that both suspects are allegedly in Russia and calls for citizen collaboration to locate them. To facilitate identification they have published photographs and physical details, including tattoos, and have created entries to the European portal of wanted people ( EU's Most Wanted). The publication of this type of data is a dual intention: to seek witnesses and, at the same time, to reduce the capacity for impunity of groups that have made cybercrime an internationalized business.

Beyond hunting for specific individuals, the history of GandCrab and REvil leaves useful lessons for companies and security officials. First, that the affiliate model facilitates a rapid proliferation of techniques: when tools and contacts circulate in clandestine forums, new actors emerge easily. Secondly, the combination of encryption and public coercion - filtering or auctioning data - increases the psychological pressure on victims and increases the probability of payment. And third, that supply chains remain a critical vector: an attack on a supplier can channel thousands of potential victims within hours.

Effective responses should also be systemic: best practices in cyberhygiene, network segmentation, verified backup, proven recovery plans and more fluid collaboration between the private sector and the authorities. Security agencies and response groups issue guidelines that any organization can consult to raise its defence level; reports and notices from entities such as CISA, Europol or large security firms are good starting points for updating technical policies and procedures.

For now, what exists is a mix of operational advances by the security forces and the reality that many of the brains behind the operations are still out of reach. BKA research and public dissemination of identifying data seek to reduce this area of impunity but they also remember that the fight against the Ransomware is a long task that combines technical intelligence, international cooperation and, no less importantly, business awareness of the risks and measures that actually reduce the likelihood of being victims.

If you want to deepen the technical and judicial background of these episodes, you can consult the BKA statement on the individuals listed in the previous links, the journalistic investigations that covered the withdrawal of the first leader of GandCrab and the technical analyses and official notices that documented the tactics of REvil and the consequences of the attack on Kaseya, such as those published by the BleepingComputer, Krebs on Security and CISA technical warning.