German Authorities Identify Leaders of REvil and GandCrab Ransomware Operations
What Happened — German Federal Police (BKA) disclosed that two Russian nationals, Daniil Maksimovich Shchukin (31) and Anatoly Sergeevich Kravchuk (43), headed the GandCrab and REvil ransomware campaigns from 2019 through mid‑2021. The duo is linked to more than 130 extortion cases in Germany, with victims paying at least $2.2 million in ransom and total damages exceeding $40 million.
Why It Matters for TPRM —
- Ransomware groups often exploit third‑party supply‑chain relationships; understanding leadership helps assess residual risk in vendor ecosystems.
- Identification of key actors can trigger law‑enforcement‑driven takedowns that may reduce threat exposure for existing contracts.
- Historical tactics (affiliate model, data‑leak sites) remain relevant to current ransomware threats targeting vendors.
Who Is Affected — Organizations across all sectors that were victims of GandCrab or REvil, notably IT services, manufacturing, local government, and technology firms (e.g., Acer, Kaseya).
Recommended Actions —
- Review any contracts with vendors that were compromised by GandCrab/REvil or that use similar affiliate‑based ransomware services.
- Validate that incident‑response and ransomware‑mitigation controls (backups, network segmentation) are in place and tested.
- Monitor threat‑intel feeds for any resurgence of the identified actors or their affiliates.
Technical Notes — The groups leveraged ransomware‑as‑a‑service (RaaS) models, public data‑leak sites, and affiliate recruitment to spread malware. No specific CVE was cited; the threat vector was malicious ransomware payload delivery via phishing, exploit kits, and compromised remote‑desktop services. Source: BleepingComputer