German police have unmasked two Russian nationals who, they claim, led the ransomware groups GandCrab and REvil and are thought to be behind the notorious Kaseya supply chain attack. The BKA has even released close-up images of the pair to track them down.
In a rare public appeal, Germany’s Federal Criminal Police Office (BKA) has identified the duo.
Daniil Maksimovich Shchukin, a blond-haired, blue-eyed 31-year-old, is accused of operating under the alias “UNKN” (or UNKNOWN), and 43-year-old Antoly Sergeevitsch Kravchuk has brown hair, brown eyes, and is the owner of a highly distinctive tattoo.
Sergeevitsch is believed to have played a key technical and leadership role in the same criminal enterprise.
According to the BKA and prosecutors in Baden-Wurttemberg, the pair led ransomware campaigns between early 2019 and at least July 2021, and were responsible for attacks that hit at least 130 organizations across Germany alone, with at least 25 victims paying roughly €1.9m in ransom and total damages exceeding €35 million.
Their activities were also tied to high-profile global attacks on the IT brand Acer, multiple local governments in Texas, and the Kaseya supply chain ransomware attack, which disrupted over 1,500 companies worldwide in 2021.
Public advisories and reporting on the investigation, including coverage by Krebs on Security, identified Shchukin as the figure behind the “UNKN” alias. His role is described as the public-facing figure for the ransomware groups.
Leaders in double extortion
Their operations followed a double-extortion framework that would serve as a model for how many ransomware attacks are now carried out: break in, steal data, encrypt systems, and then demand payment for both decryption and to prevent the public release of stolen information.
GandCrab, a ransomware-as-a-service operation that emerged in early 2018, allowed affiliate hackers to deploy the malware in exchange for a share of the profits.
This model proved lucrative for ransomware operators, and GandCrab’s operators claimed to have generated up to $2 billion in ransom demands before abruptly “retiring.”
“We are leaving for a well-deserved retirement,” they wrote in a farewell post at the time, “We have proven that by doing evil deeds, retribution does not come.”
The operators added that they personally cashed out around $150 million – funds they claimed were reinvested into legitimate “white” businesses, though no details were ever provided, and the claim has not been independently verified.
However, the operators did not remain retired for long, as a new operation called REvil (also known as Sodinokibi) emerged, widely believed by researchers to be a continuation or rebranding of GandCrab.
REvil takedown followed Kasaya attack
Built on the same model, REvil was brazen, more aggressive, introducing leak sites and data auctions, which became another popular tool for criminal hackers to increase pressure on victims.
Following the Kasaya attack, law enforcement agencies were able to infiltrate parts of REvil’s infrastructure, and by early 2022, Russian authorities made a rare public arrest of several alleged affiliates, though key figures behind the operation were not publicly accounted for.
German authorities believe that both suspects remain in Russia, and now investigators are turning to the public. The BKA has released photos – including close-ups of identifying features such as tattoos – in the hope that someone, somewhere, recognizes them and can provide information on their location.
Unlock more exclusive Cybernews content on YouTube.
