German Police Unmask REvil Ransomware Leader

The German Federal Criminal Police (BKA) has named a Russian national as the mastermind behind the GandCrab and REvil ransomware operations.

According to a law enforcement notice, the man, Daniil Maksimovich Shchukin, 31, of Krasnodarskiy, Russia, led the two ransomware operations between early 2019 and mid-2021.

Shchukin, the BKA says, was involved in 130 extortion attempts, including 25 in which the victims paid a total of over $2 million in ransoms. The activities are estimated to have caused over $40 million in damages.

Shchukin and his co-conspirators, one of whom was identified as Russian national Anatoly Sergeevitsch Kravchuk, 43, targeted both enterprises and public institutions, the BKA says.

Operating as a ransomware-as-a-service (RaaS), GandCrab emerged in early 2018 and closed shop in mid-2019, when its operators boasted about making over $150 million per year from the operation.

REvil (aka Sodinokibi) emerged around the same time as GandCrab was retiring and was immediately labeled as its successor. In late 2021, law enforcement seized REvil’s servers, and seven individuals associated with the two ransomware operations were arrested.

Advertisement. Scroll to continue reading.

In January 2022, the Russian authorities announced the arrest of multiple individuals allegedly associated with REvil. In 2024, four members of the group were sentenced to prison.

According to BKA’s notice, Shchukin is likely residing in Russia. Also known as Oneiilk2, Oneillk2, Oneillk22, UNKN, and GandCrab, he was outed in the past as the leader of REvil.

In 2023, he was mentioned in a DoJ complaint for the seizure of cryptocurrency illegally obtained as part of the REvil operation, as well as in a conference talk in Germany, investigative journalist Brian Krebs points out.

Originally published by SecurityWeek

Full Analysis