Breach Roundup: German Police Expose REvil, GandCrab Boss | #ransomware | #cybercrime

See Also: AI Impersonation Is the New Arms Race—Is Your Workforce Ready?

German federal police publicly identified the alleged leader of the REvil and GandCrab ransomware operations, tying a real-world identity to a long-elusive cybercrime kingpin still believed to be at large.

The Federal Criminal Police Office – known by its German acronym BKA – named 31-year-old Russian national Daniil Maksimovich Shchukin, alias “UNKN” or “UNKNOWN,” as the mastermind behind both groups. Authorities say he led operations from at least 2019 through mid-2021, overseeing a campaign that extorted “several hundred million euros of ransom payments” globally.

German investigators also identified an alleged associate as Anatoly Sergeevitsch Kravchuk, 43, a Ukraine-born Russian citizen believed to have served as a developer for the group, building and maintaining its darkweb infrastructure and malware.

GandCrab and its successor, REvil, were among the first groups to scale ransomware into a franchise model, recruiting affiliates to conduct intrusions while operators maintained malware and extortion infrastructure. The groups also routinely used double extortion tactics – stealing data and threatening to leak it in addition to encrypting systems – pressuring victims to pay.

German officials linked Shchukin and Kravchuk to at least 130 ransomware incidents in Germany alone. In 25 confirmed cases, victims paid roughly 1.9 million euros – $2.21 million – with total damages exceeding 35 million euros – $40.8 million.

In a separate U.S. court filing, federal prosecutors sought forfeiture of cryptocurrency wallets tied to Shchukin – valued at about $317,000 at the time of seizure in December 2022. REvil, also known as Sodinokibi, in its active years, generated more than $200 million in ransom payments worldwide, according to cybersecurity company BlackFog.

At their peak, the operations generated massive profits. Researchers say GandCrab affiliates generated more than $2 billion in ransom revenue before shutting down in 2019, with REvil emerging soon after as its successor and targeting large enterprises globally.

The groups were behind several high-impact campaigns. REvil’s July 2021 supply-chain attack targeting Kaseya’s VSA software disrupted up to 1,500 downstream businesses worldwide and forced temporary shutdowns. The operators demanded a $70 million ransom for a universal decryptor (see: Kaseya Attack: REvil Offers $70 Million ‘Universal Decryptor’).

A high severity flaw in Docker’s core security controls could allow attackers to bypass safeguards and gain root-level access to host systems, research from Cyera found.

The issue, tracked as CVE-2026-34040, builds on a previously disclosed regression flaw in Docker Engine, CVE-2024-41110.

The vulnerability stems from a logic error tied to how Docker validates request sizes, effectively breaking a key authorization layer designed to enforce security policies. Researchers said the issue impacts Docker environments using authorization – AuthZ – plugins, widely deployed in enterprises to restrict high-risk container actions.

By exploiting a size-check weakness, an attacker can craft requests that evade these controls, enabling unauthorized operations such as launching privileged containers or accessing sensitive host resources.

The vulnerability effectively neutralizes what researchers describe as Docker’s “last line of defense” in enforcing runtime security policies. The flaw affects a large portion of enterprise environments, with Cyera estimating exposure across the majority of deployments.

The underlying bug has existed for years, impacting Docker versions dating back nearly a decade.

Financially motivated Chinese hackers tracked as Storm-1175 is accelerating high-tempo Medusa ransomware attacks by rapidly exploiting vulnerable internet-facing systems, often within hours of new flaws being disclosed – and sometimes within 24 hours, Microsoft said in a Monday blog post.

The threat group targets exposed perimeter assets, scanning to identify unpatched systems and chaining multiple vulnerabilities to gain initial access.

Microsoft said Storm-1175 exploited more than 16 vulnerabilities across widely used enterprise technologies, including Microsoft Exchange, Ivanti Connect Secure and BeyondTrust Remote Support.

The group establishes persistence through web shells and newly created user accounts, often adding accounts to privileged groups. Attackers deploy remote management and monitoring tools and legitimate administrative utilities to move laterally across environments.

Credential theft is a key step. Operators dump credentials from lsass.exe process memory, access password stores and reuse valid accounts to escalate privileges and expand access. They also use tools such as PowerShell and command-line utilities to execute commands and maintain control.

Before deploying ransomware, Storm-1175 conducts data exfiltration, targeting sensitive files for double extortion operations. The group disables security controls, tampers with endpoint detection tools and deletes backups or shadow copies to hinder recovery.

The group’s recent campaigns targeted organizations in healthcare, education, professional services and finance across the United States, United Kingdom and Australia.

North Korea-linked threat actors are using GitHub as covert command-and-control infrastructure in a phishing campaign built around malicious Windows shortcut files.

Fortinet researchers said the activity targets organizations in South Korea, with attackers distributing .lnk files disguised as legitimate documents. When opened, the files execute hidden PowerShell commands while displaying decoy content to the victim.

The .lnk files contain embedded, encoded payloads and logic to decode and run them in memory. An initial PowerShell script performs basic anti-analysis checks, deploys additional scripts, establishes persistence via scheduled tasks and gathers system information such as operating system details and running processes.

Exfiltrated data is sent to attacker-controlled GitHub repositories using hardcoded access tokens. Malware uses the same platform to fetch follow-on payloads and commands. Researchers observed multiple repositories and accounts used to maintain operational resilience.

The campaign relies heavily on living-off-the-land techniques, using legitimate tools such as PowerShell and VBScript instead of traditional malware binaries, helping reduce detection. The use of GitHub further complicates defense because enterprise environments often allow outbound traffic to the platform.

AhnLab researchers found a parallel campaign using similar .lnk-based delivery but leveraging Dropbox instead of GitHub for command and control.

The findings reflect a broader pattern of DPRK-linked campaigns using .lnk files and trusted cloud platforms to evade detection, researchers said.

A newly disclosed vulnerability in open-source platform Grafana could allow attackers to siphon sensitive enterprise data – including financial metrics, infrastructure telemetry and private customer records – through the platform’s artificial intelligence capabilities, finds research from Noma Security.

The issue, dubbed “GrafanaGhost,” stems from how Grafana processes external inputs within its AI-assisted features. Attackers can craft malicious prompts embedded in fake but plausible Grafana URL paths that the platform’s entry log handling picks up and passes to the AI for processing.

The exploit chains two distinct bypasses. The first exploits a flaw in Grafana’s client-side URL validation logic: a specially formatted URL passes the platform’s security check as though it were a safe internal link, while the browser treats it as a request to an external server. The second defeats the AI model’s own guardrails: researchers found that embedding the keyword “INTENT” in the injected prompt caused the model to treat the malicious instruction as legitimate system behavior, bypassing its built-in refusals.

Once both bypasses are chained, Grafana’s AI component attempts to render a seemingly valid external image. That outbound request carries the victim’s sensitive internal data as a URL parameter, delivering it silently to an attacker-controlled server.

Noma said the attack operates entirely in the background, making detection difficult. “Data exfiltration occurs entirely in the background,” the researchers said, adding that the attack is indistinguishable from normal system activity.

Cyber-enabled scams, fueled by cryptocurrency and AI, cost Americans nearly $21 billion in 2025, marking the highest losses on record, according to the FBI’s latest Internet Crime Complaint Center report.

The IC3 logged more than one million complaints during the year, reflecting the scale and industrialization of online fraud. Investment scams accounted for roughly half of all losses, with fraudsters typically steering victims toward cryptocurrency transactions that are harder to trace and recover. Business email compromise, tech support scams and extortion schemes also continue to generate significant losses.

Crypto-related fraud generated more than $11 billion in losses across more than 180,000 complaints. The bureau highlighted AI as compounding the threat. AI-specific complaints totaled 22,364, with losses of $893 million. Attackers are using generative tools to scale phishing, impersonation and social engineering campaigns.

The impact is disproportionately severe among older victims. Americans aged 60 and above reported $7.7 billion in losses, a sharp year-on-year increase.

Attackers are actively exploiting a critical Ivanti Endpoint Manager Mobile vulnerability and scanning the internet for exposed systems, prompting the U.S. Cybersecurity and Infrastructure Security Agency to add the flaw to its Known Exploited Vulnerabilities catalog.

The vulnerability, tracked as CVE-2026-1340, is a code injection bug that enables unauthenticated remote code execution on internet-facing EPMM instances, giving attackers a straightforward path to compromise enterprise environments. Exploiting the bug requires no authentication or user interaction.

Ivanti had earlier warned the vulnerability was exploited as a zero-day in limited attacks prior to disclosure (see: Ivanti Zero-Days Likely Deployed in EU and Dutch Hacks).

A cyberattack disrupted a critical IT system used by schools across Northern Ireland, locking hundreds of thousands of students and teachers out of learning platforms during exam preparation period.

The Education Authority of Northern Ireland said the incident targeted the centralized “C2K” network, which provides access to coursework, communication tools and online learning systems. The platform is managed by IT services provider Capita on behalf of the Education Authority.

Parts of the network were taken offline and all users were required to reset their passwords before regaining access.

The disruption coincided with the Easter break, a critical period for students preparing for general certificate of secondary education and A-level exams. Thousands of pupils were unable to access study materials, with some schools reopening to help them regain access to accounts. The Education Authority said it is unclear whether any personal data was compromised but noted no evidence of data theft.

Hackers threatened to leak sensitive data stolen from Germany’s democratic socialist political party Die Linke following a ransomware attack, the party said.

The Qilin ransomware group claimed to have exfiltrated internal data and is using the threat of publication to pressure the organization. Die Linke said the attackers are seeking to release sensitive data from the internal areas of the party organization as well as staff personal information.

The party said its membership database was not affected. Qilin did not publish proof of stolen data but listed the party on its leak site.

The attack adds to growing concerns about cyberthreats targeting political organizations in Germany, where previous campaigns have been linked to Russian-speaking actors. In May 2024, Germany’s Federal Ministry of the Interior publicly attributed a cyberattack on the Social Democratic Party to Unit 26165 of Russia’s Main Intelligence Directorate of the General Staff, also tracked as APT28, Fancy Bear and Forest Blizzard. Investigators found hacker exploited a zero-day vulnerability in Microsoft Outlook. The Czech Republic confirmed it was targeted in the same campaign (see: Russian GRU Hackers Compromised German, Czech Targets).

Other Stories From This Week