Identification of key leadership behind GandCrab and REvil ransomware operations by German authorities

First reported

07.04.2026 02:54

Last updated

07.04.2026 02:54

1 unique sources, 2 articles

Summary

Hide ▲

German Federal Police (BKA) announced the identification of two Russian nationals, Daniil Maksimovich Shchukin (31) and Anatoly Sergeevitsch Kravchuk (43), as the leaders of the GandCrab and REvil ransomware operations spanning from at least early 2019 to July 2021. The duo, with Shchukin operating under aliases UNKN/UNKNOWN on cybercrime forums, is linked to at least 130 extortion cases targeting German companies, including 25 victims who paid $2.2 million in ransoms, while total financial damage exceeded $40 million. Authorities believe both individuals are now in Russia and have requested public assistance, including entries on the EU’s Most Wanted portal. BKA has released images of the suspects to aid tracking efforts. The operations under Shchukin and Kravchuk followed the GandCrab model, which launched in early 2018 and reportedly earned $2 billion in ransom payments before its leader retired in June 2019. REvil, emerging afterward, adopted GandCrab’s affiliate structure, public leak sites, and data auctions, targeting high-profile victims such as Texas local governments, Acer, and the Kaseya supply-chain compromise affecting approximately 1,500 downstream victims. Following the Kaseya attack, REvil took a two-month operational break during which law enforcement infiltrated their infrastructure, leading to disruptions. In January 2022, Russian authorities arrested over a dozen REvil members, who were released in 2025 after serving time for carding-related charges.

Timeline

07.04.2026 02:54 2 articles · 23h ago

Identification of GandCrab and REvil leadership by German authorities
German Federal Police (BKA) publicly identified Russian nationals Daniil Maksimovich Shchukin (31) and Anatoly Sergeevitsch Kravchuk (43) as the leaders of GandCrab and REvil ransomware operations active between at least early 2019 and July 2021. The announcement follows investigations into at least 130 extortion cases targeting German companies, with evidence of 25 ransom payments totaling $2.2 million and estimated financial damage exceeding $40 million. Authorities believe both individuals are now in Russia and have requested public assistance, including entries on the EU’s Most Wanted portal. BKA also released images, including tattoo photos of Shchukin and Kravchuk, to aid in tracking efforts.
Show sources

German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54

German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
Open in new tab

Information Snippets

Daniil Maksimovich Shchukin (31 years old) and Anatoly Sergeevitsch Kravchuk (43 years old) identified as leaders of GandCrab and REvil operations spanning from at least early 2019 to July 2021.
First reported: 07.04.2026 02:54

1 source, 2 articles
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
Shchukin, operating under aliases UNKN/UNKNOWN, served as a visible representative of the ransomware groups on cybercrime forums.
First reported: 07.04.2026 02:54

1 source, 2 articles
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
At least 130 extortion cases linked to Shchukin and Kravchuk targeted companies in Germany, with 25 victims paying $2.2 million in ransom demands.
First reported: 07.04.2026 02:54

1 source, 2 articles
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
Total financial damage attributed to the operations is estimated to exceed $40 million.
First reported: 07.04.2026 02:54

1 source, 2 articles
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
GandCrab, launched in early 2018, claimed earnings of $2 billion in ransom payments before its leader retired in June 2019, reportedly retaining $150 million invested in legal businesses.
First reported: 07.04.2026 02:54

1 source, 2 articles
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
REvil emerged following GandCrab’s model, adopting affiliate structures, public leak sites, and data auctions to pressure victims. Notable incidents include attacks on Texas local governments, Acer, and the Kaseya supply-chain compromise affecting approximately 1,500 downstream victims.
First reported: 07.04.2026 02:54

1 source, 2 articles
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
Following the Kaseya attack, REvil took a two-month operational break during which law enforcement infiltrated and monitored their infrastructure, leading to multiple disruptions.
First reported: 07.04.2026 02:54

1 source, 2 articles
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
In January 2022, Russian authorities arrested over a dozen REvil members, who were released in 2025 after serving time for carding-related charges.
First reported: 07.04.2026 02:54

1 source, 1 article
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
BKA states both identified individuals are believed to be in Russia and has requested public assistance for their whereabouts, including entries added to the EU’s Most Wanted portal.
First reported: 07.04.2026 02:54

1 source, 2 articles
Show sources
- German authorities identify REvil and GangCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54
BKA shared images, including tattoo photos of Shchukin and Kravchuk, to aid public tracking efforts.
First reported: 07.04.2026 02:54

1 source, 1 article
Show sources
- German authorities identify REvil and GandCrab ransomware bosses — www.bleepingcomputer.com — 07.04.2026 02:54

Similar Happenings

Volodymyr Tymoshchuk Charged for LockerGoga, MegaCortex, Nefilim Ransomware Operations

Ukrainian national Volodymyr Viktorovich Tymoshchuk has been charged for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk is accused of orchestrating attacks on hundreds of companies, leading to millions of dollars in damages. He is also linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Tymoshchuk faces multiple charges related to computer fraud, unauthorized access, and threatening to disclose confidential information. The U.S. Department of State is offering a reward of up to $11 million for information leading to his arrest. Additionally, Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across the United States and other countries. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. He admitted to computer fraud conspiracy charges and faces up to 10 years in prison, with sentencing scheduled for May 6, 2026. Stryzhak obtained access to the Nefilim ransomware code in June 2021 and targeted large corporations, using custom-tailored malware and threatening to leak stolen data unless ransom demands were met. Stryzhak asked a co-conspirator whether he should choose a different username to avoid detection by authorities. Nefilim ransomware has been rebranded as Fusion, Milihpen, Gangbang, Nemty, and Karma.

Open in new tab

Convicted REvil Affiliate Accuses Russian Government of Planning 2021 Kaseya Attack

A convicted REvil affiliate, Yaroslav Vasinskyi, has accused the Russian government of planning the 2021 supply chain attack against Kaseya. Vasinskyi, who was sentenced to over 13 years in prison for his role in numerous ransomware attacks, claims that the Russian government orchestrated the attack to disrupt critical infrastructure. The Kaseya attack exploited a vulnerability in Kaseya's remote monitoring software VSA, compromising over 1,000 companies. The Russian government has not taken credit for the attack. Vasinskyi's allegations were discussed during a DEF CON 33 session by Jon DiMaggio, chief intelligence strategist at Analyst1, and John Fokker, head of threat intelligence at Trellix. The session provided insights into REvil's operations and the structure of its ransomware-as-a-service model.