How did German authorities identify Daniil Shchukin?

German authorities, through extensive investigations and collaboration with international partners, were able to unmask Daniil Shchukin as 'UNKN,' linking him to numerous ransomware attacks and financial transactions associated with REvil and GandCrab.

Germany Unmasks Leader of REvil and GandCrab Ransomware Groups

Q: What impact did the GandCrab and REvil ransomware groups have?

Between 2019 and 2021, these groups executed at least 130 cyberattacks in Germany, extorting nearly €2 million and causing over €35 million in economic damages, significantly disrupting businesses and critical infrastructure.

German authorities have identified Daniil Maksimovich Shchukin as 'UNKN,' the mastermind behind the REvil and GandCrab ransomware operations responsible for extensive cyberattacks and financial damages.

Published: April 6, 2026

Share this on:

Executive Summary

In April 2026, German authorities identified 31-year-old Russian national Daniil Maksimovich Shchukin as 'UNKN,' the alleged leader of the notorious ransomware groups GandCrab and REvil. Between 2019 and 2021, Shchukin and his associate, 43-year-old Anatoly Sergeevitsch Kravchuk, reportedly executed at least 130 cyberattacks in Germany, extorting nearly €2 million and causing over €35 million in economic damages. These groups pioneered the double extortion tactic, demanding ransom for decrypting systems and additional payment to prevent data leaks.

This revelation underscores the persistent threat posed by sophisticated ransomware operations and highlights the importance of international collaboration in combating cybercrime. Organizations must remain vigilant, as the identification of such key figures does not eliminate the risk of future attacks employing similar tactics.

Why This Matters Now

The unmasking of Daniil Shchukin as the leader of major ransomware groups highlights the ongoing threat of sophisticated cybercriminal operations. It emphasizes the need for organizations to enhance their cybersecurity measures and for continued international cooperation to effectively combat such pervasive threats.

Attack Path Analysis

The attackers initiated the campaign by exploiting vulnerabilities in public-facing systems to gain initial access. They then escalated privileges by exploiting misconfigured IAM roles, allowing broader access within the environment. Utilizing this elevated access, they moved laterally across the network to identify and compromise critical assets. Established command and control channels enabled them to maintain persistent access and coordinate their activities. Sensitive data was exfiltrated to external servers, and finally, ransomware was deployed to encrypt systems, demanding payment for decryption keys.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

Exploited vulnerabilities in public-facing systems to gain unauthorized access.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1566.001

Spearphishing Attachment

Execution

T1059.001

PowerShell

Impact

T1486

Data Encrypted for Impact

Impact

T1490

Inhibit System Recovery

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Discovery

T1082

System Information Discovery

Defense Evasion

T1562.001

Disable or Modify Tools

Defense Evasion

T1070.004

File Deletion

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malware Protection

Control ID: 6.4.3

The incident highlights a failure to implement effective malware protection mechanisms, as the ransomware was able to execute and encrypt sensitive data.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The attack indicates deficiencies in the organization's cybersecurity policy, particularly in addressing ransomware threats and incident response planning.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach suggests inadequate ICT risk management practices, as the organization failed to prevent or mitigate the ransomware attack effectively.

CISA ZTMM 2.0 – Identity Management

Control ID: Identity

The incident underscores weaknesses in identity management, as attackers likely exploited compromised credentials to gain unauthorized access.

NIS2 Directive – Incident Handling

Control ID: Article 21

The organization's response to the ransomware attack reveals shortcomings in incident handling procedures, impacting service continuity and data integrity.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

REvil/GandCrab ransomware groups' €35M damage demonstrates critical exposure requiring encrypted traffic monitoring, zero trust segmentation, and egress security controls.

Health Care / Life Sciences

Double extortion tactics targeting €100M+ revenue organizations threaten HIPAA compliance, requiring enhanced anomaly detection and data exfiltration prevention capabilities.

Information Technology/IT

Kaseya attack affecting 1,500+ businesses highlights MSP vulnerabilities, demanding kubernetes security, multicloud visibility, and threat detection for service providers.

Insurance

Big-game hunting targeting cyber insurance policyholders necessitates robust egress filtering, inline IPS protection, and comprehensive incident response frameworks.

Sources

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrabhttps://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/
Verified

REvil ransomware explained: A widespread extortion operationhttps://www.csoonline.com/article/570101/revil-ransomware-explained-a-widespread-extortion-operation.html

Verified

REvil (Sodinokibi) Ransomwarehttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-233a

Verified

Frequently Asked Questions

Double extortion is a tactic where attackers not only encrypt a victim's data and demand a ransom for decryption but also threaten to release the stolen data publicly unless an additional ransom is paid.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been constrained by reducing the exposure of public-facing systems through embedded security controls.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict identity-aware segmentation policies.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely have been constrained by monitoring and controlling east-west traffic between workloads.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels may have been detected and disrupted through enhanced visibility and control across multicloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts would likely have been restricted by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

The attacker's ability to deploy ransomware may have been limited by prior segmentation and traffic controls, potentially reducing the scope of impact.

Impact at a Glance

Affected Business Functions

IT Operations
Data Management
Customer Service
Financial Transactions

Operational Disruption

Estimated downtime: 14 days

Financial Impact

Estimated loss: $2,000,000

Data Exposure

Confidential business data, customer information, and financial records

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
• Utilize Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
• Establish Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Germany Unmasks Leader of REvil and GandCrab Ransomware Groups

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Spearphishing Attachment

PowerShell

Data Encrypted for Impact

Inhibit System Recovery

Application Layer Protocol: Web Protocols

System Information Discovery

Disable or Modify Tools

File Deletion

Potential Compliance Exposure

PCI DSS 4.0 – Malware Protection

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity Management

NIS2 Directive – Incident Handling

Sector Implications

Financial Services

Health Care / Life Sciences

Information Technology/IT

Insurance

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads