German Police Identify Two Key REvil/GandCrab Operators, Highlight Ongoing Ransomware Threat
What Happened — German federal police (BKA) publicly named Daniil Shchuki and Anatoly Kravchuk as senior figures behind the defunct REvil and GandCrab ransomware-as‑a‑service operations. The two are alleged to have orchestrated roughly two dozen attacks that generated ≈ $2.3 M in ransom payments and ≈ $40 M in economic damage.
Why It Matters for TPRM —
- Confirms that high‑profile ransomware groups continue to be run by identifiable individuals, underscoring the persistence of the RaaS model.
- Highlights the broad victim landscape (businesses, public institutions, critical services), meaning any third‑party relationship could be a potential target.
- Provides actionable intelligence for risk‑based vendor assessments and incident‑response planning.
Who Is Affected — Technology‑SaaS providers, financial services firms, public sector agencies, and any organization that contracts with vendors potentially exposed to REvil‑style ransomware.
Recommended Actions —
- Review all third‑party contracts for ransomware‑related clauses and insurance coverage.
- Validate that vendors maintain robust endpoint protection, regular backups, and incident‑response playbooks.
- Incorporate the identified threat actors into threat‑intel feeds and monitor for related IOCs.
Technical Notes — The original GandCrab campaigns spread via phishing emails with malicious attachments; REvil later evolved to target larger enterprises, combining encryption with data exfiltration and double‑extortion tactics. No new CVEs were disclosed. Source: The Record