[{"data":1,"prerenderedAt":154},["ShallowReactive",2],{"article-slug-german-authorities-identify-key-suspects-in-revil-and-gandcrab-ransomware-gangs":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":43,"sources":44,"events":53,"mitre_techniques":57,"mitre_mitigations":77,"d3fend_countermeasures":110,"iocs":122,"cyber_observables":123,"tags":140,"extract_datetime":144,"article_type":145,"impact_scope":146,"pub_date":48,"reading_time_minutes":153,"createdAt":144,"updatedAt":144},"ff0351b7-b32f-4a67-95af-6e7ec3eb7d70","german-authorities-identify-key-suspects-in-revil-and-gandcrab-ransomware-gangs","Germany Unmasks Key REvil and GandCrab Ransomware Suspects","German Authorities Identify Suspects Believed to be Key Members of REvil and GandCrab Ransomware Gangs","German law enforcement has publicly identified two Russian nationals, Daniil Shchukin (alias 'UNKN') and Anatoly Kravchuk, as key figures in the notorious REvil and GandCrab ransomware operations. The pair is allegedly responsible for at least 24 attacks, extorting approximately $2.3 million and causing an estimated $40 million in damages. This public identification is part of a wider European effort to dismantle Russian cybercrime networks. While the REvil group was officially dismantled in 2021, many of its members remain at large, and legal proceedings in Russia against such suspects have reportedly stalled, highlighting the challenges of international cybercrime prosecution.","## Executive Summary\nGerman law enforcement officials have taken a significant step in holding cybercriminals accountable by publicly identifying two Russian nationals, **Daniil Shchukin** (also known as 'UNKN') and **Anatoly Kravchuk**, as key operatives within the infamous **[GandCrab](https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab)** and **[REvil](https://attack.mitre.org/groups/G0115/)** (Sodinokibi) ransomware syndicates. The suspects are wanted in connection with a series of attacks that extorted millions and caused tens of millions of dollars in damages. This action is part of a coordinated European initiative aimed at disrupting Russian-based cybercrime operations. Although the REvil group was officially taken down in 2021, this development underscores that efforts to pursue its members are ongoing, even as challenges remain in bringing them to justice due to their suspected location in Russia.\n\n## Threat Overview\nGandCrab and its successor, REvil, were two of the most prolific and destructive ransomware-as-a-service (RaaS) operations in history. They pioneered the double extortion tactic, which involves not only encrypting victim data but also exfiltrating it and threatening to leak it publicly if the ransom is not paid ([`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/) and [`T1041 - Data Exfiltration Over C2 Channel`](https://attack.mitre.org/techniques/T1041/)).\n\n-   **GandCrab:** Active from 2018 to 2019, it was one of the first highly successful RaaS operations, infecting hundreds of thousands of victims and generating massive profits for its operators and affiliates.\n-   **REvil (Sodinokibi):** Emerging shortly after GandCrab's supposed retirement, REvil was widely believed to be operated by the same core group. It became notorious for its high-profile attacks on major corporations and critical infrastructure, demanding multi-million dollar ransoms.\n\nThe identification of Shchukin and Kravchuk links specific individuals to these widespread criminal campaigns. They are accused of participating in at least 24 attacks, resulting in $2.3 million in direct extortion payments and an estimated $40 million in total damages, highlighting the significant economic impact of their activities.\n\n## Technical Analysis\nThe TTPs of GandCrab and REvil were well-documented and evolved over time. Common techniques included:\n\n-   **Initial Access:** They frequently gained access by exploiting vulnerabilities in public-facing applications, particularly in RDP servers and VPN appliances ([`T1190 - Exploit Public-Facing Application`](https://attack.mitre.org/techniques/T1190/)), and also through large-scale phishing campaigns ([`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/)).\n-   **Privilege Escalation:** Once inside, they used various techniques to escalate privileges to gain domain administrator rights, often using tools like **[Mimikatz](https://attack.mitre.org/software/S0002/)** to harvest credentials ([`T1003 - OS Credential Dumping`](https://attack.mitre.org/techniques/T1003/)).\n-   **Lateral Movement:** They moved across the network using tools like **[PsExec](https://attack.mitre.org/software/S0029/)** or abusing RDP to deploy the ransomware payload to as many systems as possible ([`T1021.001 - Remote Services: Remote Desktop Protocol`](https://attack.mitre.org/techniques/T1021/001/)).\n-   **Impact:** The final stage involved deploying the ransomware to encrypt files across the network, deleting backups ([`T1490 - Inhibit System Recovery`](https://attack.mitre.org/techniques/T1490/)) to increase pressure on the victim to pay.\n\n## Impact Assessment\nThe impact of these ransomware groups was global and devastating.\n-   **Financial Loss:** Victims suffered direct financial losses from ransom payments, business downtime, and recovery costs. The $40 million in damages attributed to just 24 attacks by these two suspects shows the scale of the problem.\n-   **Operational Disruption:** Attacks on hospitals, local governments, and businesses caused significant disruption to essential services.\n-   **Data Breaches:** The double extortion model meant that even if a company could recover from backups, they still faced a data breach, with sensitive corporate or customer data being leaked online.\n\nThe public identification of suspects, while largely symbolic without an arrest, serves to disrupt their operations, apply pressure, and signal a commitment from law enforcement to pursue these actors.\n\n## IOCs\nNo specific IOCs related to the 24 attacks were provided in the source articles.\n\n## Detection & Response\n**Detection Strategies:**\n1.  **Behavioral Analysis:** Deploy EDR solutions that use behavioral analysis to detect ransomware activity, such as rapid file modification/encryption, attempts to delete shadow copies (`vssadmin`), and the execution of suspicious commands. This is a core part of **[Process Analysis (D3-PA)](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis)**.\n2.  **Credential Dumping Detection:** Monitor for processes accessing the LSASS memory space, a common technique used by tools like Mimikatz to steal credentials. This is a form of **[OS Credential Dumping (D3-OCD)](https://d3fend.mitre.org/technique/d3f:OSCredentialDumping)**.\n3.  **Network Monitoring:** Look for lateral movement activity, such as an unusual number of RDP or SMB connections originating from a single host. Monitor for large, anomalous outbound data transfers that could indicate data exfiltration prior to encryption.\n\n## Mitigation\n-   **Patch Management:** Aggressively patch vulnerabilities in internet-facing systems like VPNs and RDP servers. This is the most effective way to prevent initial access (**[M1051 - Update Software](https://attack.mitre.org/mitigations/M1051/)**).\n-   **Secure Backups:** Maintain offline, immutable, and regularly tested backups. This ensures you can recover without paying a ransom (**[M1053 - Data Backup](https://attack.mitre.org/mitigations/M1053/)**).\n-   **Network Segmentation:** Segment your network to prevent ransomware from spreading from a single compromised workstation to the entire enterprise (**[M1030 - Network Segmentation](https://attack.mitre.org/mitigations/M1030/)**).\n-   **Restrict Privileged Accounts:** Enforce the principle of least privilege. Limit the number of domain administrator accounts and use Privileged Access Management (PAM) solutions (**[M1026 - Privileged Account Management](https://attack.mitre.org/mitigations/M1026/)**).","German authorities have unmasked two key Russian suspects, Daniil Shchukin & Anatoly Kravchuk, behind the notorious REvil and GandCrab ransomware gangs. 🇷🇺 They are linked to attacks causing $40M in damages. #REvil #GandCrab #Cybercrime #Ransomware","German law enforcement publicly identifies two Russian nationals, Daniil Shchukin and Anatoly Kravchuk, as key suspects in the REvil and GandCrab ransomware operations, linked to $40 million in damages.",[13,14,15],"Threat Actor","Ransomware","Regulatory","medium",[18,21,23,27,31,34,37,39],{"name":19,"type":20},"Daniil Shchukin","person",{"name":22,"type":20},"Anatoly Kravchuk",{"name":24,"type":25,"url":26},"REvil","threat_actor","https://attack.mitre.org/groups/G0115/",{"name":28,"type":29,"url":30},"GandCrab","malware","https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab",{"name":32,"type":25,"url":33},"Black Basta","https://malpedia.caad.fkie.fraunhofer.de/actor/black_basta",{"name":35,"type":29,"url":36},"Akira","https://malpedia.caad.fkie.fraunhofer.de/details/win.akira",{"name":38,"type":29},"Qilin",{"name":40,"type":41,"url":42},"FBI","government_agency","https://www.fbi.gov",[],[45,50],{"url":46,"title":47,"date":48,"friendly_name":49},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGrOdp9laCw2n-Cmc8j9ZHrvQ2m7SbL3hVXGln_19qgt1pcLeJ6byl3POXqR9kz1A1O5lnTLVH3OIaQF5FnIAxNGe-fQo-C-KEuVS4eJvymWtcg_pGV6H8kUJjJ3ptBcx7bqLM0c_WSb5FXCsIVY-oPtlrylJN6NK-oV_-p72lLDXnNBxc=","Cyber Security Incidents and Alerts A Snapshot of Recent Threats Scams and Breaches April 2026","2026-04-19","KCNet",{"url":51,"title":52,"date":48,"friendly_name":49},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHZDhxn8lYWJVNbH7Xxwpg2oACjn9cSoLRlutDnceWTRV-6eTjDNmyE9ZaMWA6PMDspyUaYMFNuKXDDUCak4D7_p0-nAssFj5vXzUkLSsCoc5fm8Rrdoj2iLzPAQzaJlnvQRLN-w0yiwZs9ERpMN3Mv1RnoyZ4AFqEPq06VX3K9ZkDz-vLWipI-","Cybersecurity Incidents and Alerts A Roundup of Recent Threats, Scams, and Investigations",[54],{"datetime":55,"summary":56},"2021-01-01T00:00:00Z","The REvil ransomware group was dismantled in a coordinated international operation.",[58,62,65,69,73],{"id":59,"name":60,"tactic":61},"T1486","Data Encrypted for Impact","Impact",{"id":63,"name":64,"tactic":61},"T1490","Inhibit System Recovery",{"id":66,"name":67,"tactic":68},"T1190","Exploit Public-Facing Application","Initial Access",{"id":70,"name":71,"tactic":72},"T1003","OS Credential Dumping","Credential Access",{"id":74,"name":75,"tactic":76},"T1021.001","Remote Services: Remote Desktop Protocol","Lateral Movement",[78,88,92,101],{"id":79,"name":80,"d3fend_techniques":81,"description":86,"domain":87},"M1051","Update Software",[82],{"id":83,"name":84,"url":85},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","Aggressively patch vulnerabilities in internet-facing systems to prevent the initial access vectors commonly used by these groups.","enterprise",{"id":89,"name":90,"description":91,"domain":87},"M1053","Data Backup","Maintain offline, immutable backups to ensure recovery capabilities without paying the ransom.",{"id":93,"name":94,"d3fend_techniques":95,"description":100,"domain":87},"M1030","Network Segmentation",[96],{"id":97,"name":98,"url":99},"D3-BDI","Broadcast Domain Isolation","https://d3fend.mitre.org/technique/d3f:BroadcastDomainIsolation","Segment networks to contain ransomware spread and protect critical assets.",{"id":102,"name":103,"d3fend_techniques":104,"description":109,"domain":87},"M1026","Privileged Account Management",[105],{"id":106,"name":107,"url":108},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring","Strictly control and monitor the use of privileged accounts to prevent lateral movement and widespread encryption.",[111,113,117],{"technique_id":83,"technique_name":84,"url":85,"recommendation":112,"mitre_mitigation_id":79},"The primary initial access vector for ransomware groups like REvil and GandCrab was the exploitation of known vulnerabilities in internet-facing systems. Therefore, the most effective countermeasure is a rigorous and timely Software Update program. Organizations must have a comprehensive asset inventory to know what systems are exposed to the internet (e.g., VPNs, RDP gateways, web servers). A vulnerability management program must be in place to continuously scan these assets for new vulnerabilities. When a critical patch is released by a vendor, it must be treated as an emergency and deployed within hours or days, not weeks or months. Prioritize patching based on exposure and criticality. This proactive 'shield's up' posture hardens the perimeter and denies attackers the low-hanging fruit they rely on to get into a network, forcing them to use more difficult and easier-to-detect methods like phishing.",{"technique_id":114,"technique_name":90,"url":115,"recommendation":116,"mitre_mitigation_id":89},"D3-DB","https://d3fend.mitre.org/technique/d3f:DataBackup","To neutralize the 'impact' portion of a ransomware attack, a robust Data Backup strategy is non-negotiable. This goes beyond simple backups. Organizations must follow the 3-2-1 rule: three copies of data, on two different media, with one copy off-site and offline or immutable. 'Immutable' is the key concept here. By using cloud storage with object lock or on-premises solutions that create write-once-read-many (WORM) backups, organizations can ensure that even if an attacker gains administrative control of the network, they cannot delete or encrypt the backup data. This is crucial because a primary TTP of REvil was to actively seek out and destroy backups. Regularly testing the restoration process is also critical to ensure the backups are viable. A successful backup strategy removes the attacker's primary leverage (data unavailability) and allows the organization to restore operations without paying the ransom.",{"technique_id":118,"technique_name":71,"url":119,"recommendation":120,"mitre_mitigation_id":121},"D3-OCD","https://d3fend.mitre.org/technique/d3f:OSCredentialDumping","Detecting and preventing OS Credential Dumping is key to stopping lateral movement. REvil and other groups heavily rely on tools like Mimikatz to extract credentials from memory, particularly from the LSASS process. Modern EDR solutions and Windows Defender itself have specific protections against this. Ensure that Attack Surface Reduction (ASR) rules are enabled, specifically the rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)'. Additionally, monitor for any process attempting to open a handle to `lsass.exe` with `PROCESS_VM_READ` rights, as this is a strong indicator of a credential dumping attempt. Alerting on this behavior allows security teams to intervene early in the attack lifecycle, isolating the compromised host before the attacker can use the stolen credentials to move laterally and deploy ransomware across the entire network.","M1003",[],[124,130,135],{"type":125,"value":126,"description":127,"context":128,"confidence":129},"command_line_pattern","vssadmin.exe delete shadows /all /quiet","A command commonly used by ransomware like REvil and GandCrab to delete volume shadow copies and inhibit system recovery.","Command-line logging (Event ID 4688), EDR alerts.","high",{"type":131,"value":132,"description":133,"context":134,"confidence":129},"process_name","mimikatz.exe","Execution of Mimikatz or suspicious access to the LSASS process memory indicates credential dumping attempts.","EDR alerts, process monitoring.",{"type":136,"value":137,"description":138,"context":139,"confidence":129},"file_name","[random_extension]-readme.txt","Creation of ransom notes in every directory with encrypted files is a hallmark of ransomware activity.","File Integrity Monitoring (FIM), EDR.",[24,28,14,141,142,143],"Cybercrime","Law Enforcement","Russia","2026-04-19T15:00:00.000Z","NewsArticle",{"geographic_scope":147,"industries_affected":148},"global",[149,150,151,152],"Healthcare","Government","Manufacturing","Technology",5,1776724696448]