Germany Unmasks REvil & GandCrab Ransomware Leader

A Decade-Long Mystery Solved: The Face Behind REvil and GandCrab

In a significant development for global cybersecurity, German law enforcement authorities have publicly identified the individual behind one of the most destructive ransomware operations in recent history. Daniil Maksimovich Shchukin, a 31-year-old Russian national, has been named as the operator known online as "UNKN" — the architect who built and ran both the GandCrab and REvil ransomware-as-a-service (RaaS) empires.

German prosecutors allege that Shchukin was responsible for at least 130 acts of computer sabotage and extortion targeting victims across Germany between 2019 and 2021. That window aligns precisely with the peak operational periods of both gangs. GandCrab, which launched in 2018 and was officially "retired" in mid-2019 after its operators claimed to have extorted over $2 billion from victims worldwide, was effectively succeeded by REvil — the group responsible for headline-grabbing attacks on Kaseya, JBS Foods, and dozens of other high-profile targets. The link between the two operations had long been suspected by researchers, and this attribution now confirms it officially. Read the full report from KrebsOnSecurity.

Why This Attribution Matters

Law enforcement doxing — the deliberate, public identification of cybercriminals — has become an increasingly deliberate Western strategy. Rather than quietly pursuing extradition (often impossible with Russia), agencies in Germany, the U.S., and across the EU are opting to name, shame, and sanction threat actors. The goal is threefold: disrupt the individual's ability to operate freely, deter others in their network, and erode the sense of impunity that has made Russia a safe harbor for ransomware operators for over a decade.

For Shchukin specifically, this public unmasking carries real consequences even if he remains on Russian soil. His ability to travel internationally is now severely constrained. His financial assets routed through Western systems become targets for seizure. His criminal associates — affiliates, money launderers, infrastructure providers — now know that operational security within these groups has failed at the highest level, which creates distrust and fragmentation within the broader ransomware ecosystem.

It also sends a message that no one in the RaaS supply chain is truly anonymous. UNKN was considered among the more careful operators in the Russian cybercrime underground. If German investigators were able to build a dossier substantial enough for a public identification, it demonstrates the maturation of cross-border cyber attribution capabilities in ways that should concern threat actors still operating today.

What This Means For Your Business

The public identification of Shchukin does not mean the ransomware threat has diminished — quite the opposite. REvil's infrastructure and affiliate network did not disappear when the group went dark in 2022. Many of its former affiliates migrated to successor groups including BlackCat/ALPHV, LockBit, and others. The ransomware-as-a-service model Shchukin helped pioneer is now the dominant format for ransomware operations globally, and it operates independently of any single individual at the top.

For organizations that were victimized by GandCrab or REvil between 2019 and 2021, this development may have legal and insurance implications worth discussing with counsel, particularly as international legal proceedings around restitution continue to evolve. For all businesses, the more immediate concern remains operational: the techniques, tooling, and affiliate structures pioneered under UNKN's leadership are still in active use today.

Here is what Bellator Cyber Guard recommends in light of this ongoing threat landscape:

• Patch and prioritize remote access security. REvil frequently exploited unpatched VPN appliances and RDP endpoints. These remain primary ransomware entry points in 2026.
• Implement and test immutable backups. Ransomware operators target backup systems first. Ensure your backups are air-gapped or immutable, and verify restoration procedures regularly.
• Conduct ransomware-specific tabletop exercises. Knowing how your team responds before an incident occurs dramatically reduces dwell time and recovery costs.
• Review your cyber insurance policy. Attribution developments like this one can influence how claims are processed, particularly where nation-state nexus clauses apply.
• Monitor threat intelligence feeds for REvil successor activity. Former affiliates are active. Indicators of compromise associated with REvil-era tooling continue to appear in enterprise environments.

The unmasking of UNKN is a meaningful moment in the long effort to hold ransomware operators accountable. But accountability without custody is only part of the solution. The best defense remains a hardened, well-rehearsed security posture that assumes determined adversaries — named or unnamed — are actively seeking a foothold in your environment.