German Police Identify Leader of GandCrab and REvil Ransomware Gangs, Daniil Shchukin
What Happened — German Federal Criminal Police (BKA) publicly named 31‑year‑old Russian Daniil Maksimovich Shchukin as the individual behind the early ransomware groups GandCrab and REvil. The agency linked him to at least 130 sabotage and extortion operations between 2019‑2021, resulting in roughly €2 million extorted and €35 million in total economic damage.
Why It Matters for TPRM —
- Attribution clarifies the threat landscape and helps organizations gauge the maturity of ransomware actors targeting supply‑chain partners.
- The double‑extortion model pioneered by these groups raises the risk of data‑leak exposure for any third‑party that has previously been compromised.
- Knowing the leadership enables more effective law‑enforcement collaboration and intelligence sharing for incident response.
Who Is Affected — Financial services, healthcare, manufacturing, technology, and other sectors that were targets of GandCrab/REvil campaigns; MSPs, MSSPs, and cloud providers that hosted affected customers.
Recommended Actions — Review any historic incidents involving GandCrab or REvil ransomware; verify that legacy ransomware artifacts have been fully remediated; update incident‑response playbooks to include double‑extortion scenarios; monitor for threats tied to known affiliate wallets; strengthen crypto‑transaction monitoring and reporting.
Technical Notes — The groups employed a “double‑extortion” tactic: victims paid both a decryption key and a ransom to prevent public data release. Both gangs operated affiliate programs, released multiple code revisions to evade detection, and used cryptocurrency wallets for laundering proceeds (one wallet tied to Shchukin held > €317 k). Source: Krebs on Security