Could the attacks by REvil and GandCrab have been prevented?

While no system is entirely immune, implementing robust cybersecurity measures, regular audits, employee training, and adherence to compliance standards could have significantly reduced the risk of such attacks.

German Authorities Unmask Leaders Behind REvil and GandCrab Ransomware Attacks

In a significant breakthrough, German authorities have identified the masterminds behind the notorious REvil and GandCrab ransomware operations, linking them to numerous cyberattacks and substantial financial damages.

Published: April 8, 2026

Share this on:

Executive Summary

In April 2026, Germany's Federal Criminal Police Office (BKA) identified Russian nationals Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk as the leaders of the GandCrab and REvil ransomware operations between 2019 and 2021. Operating under aliases such as 'UNKN' or 'UNKNOWN,' Shchukin and Kravchuk orchestrated at least 130 cyberattacks targeting German companies, resulting in over $40 million in damages and approximately $2.2 million in ransom payments. Their operations popularized the 'double extortion' tactic, demanding payment for decrypting data and additional sums to prevent public release of stolen information. (bleepingcomputer.com)

This identification underscores the persistent threat posed by sophisticated ransomware groups and highlights the importance of international cooperation in combating cybercrime. The GandCrab and REvil models have influenced current ransomware tactics, emphasizing the need for robust cybersecurity measures and proactive threat intelligence to mitigate such risks.

Why This Matters Now

The identification of Shchukin and Kravchuk highlights the ongoing evolution of ransomware tactics and the necessity for organizations to enhance their cybersecurity defenses against increasingly sophisticated threats.

Attack Path Analysis

The attackers initiated the attack by exploiting vulnerabilities in public-facing applications to gain initial access. They then escalated privileges by exploiting misconfigured identity and access management (IAM) policies. Utilizing these elevated privileges, they moved laterally across the network to identify and access critical systems. The attackers established command and control channels to maintain persistent access and control over the compromised environment. They exfiltrated sensitive data by transferring it to external servers under their control. Finally, they encrypted critical data and systems to disrupt operations and extort ransom payments.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

The attackers exploited vulnerabilities in public-facing applications to gain initial access to the network.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1566

Phishing

Initial Access

T1078

Valid Accounts

Impact

T1486

Data Encrypted for Impact

Impact

T1490

Inhibit System Recovery

Execution

T1059

Command and Scripting Interpreter

Defense Evasion

T1027

Obfuscated Files or Information

Exfiltration

T1041

Exfiltration Over C2 Channel

Command and Control

T1071

Application Layer Protocol

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malicious Software Prevention

Control ID: 6.4.3

The ransomware attack indicates a failure in preventing malicious software, violating the requirement to implement anti-malware mechanisms.

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

Control ID: 500.15

The incident suggests inadequate encryption controls, as sensitive data was compromised, violating the requirement to encrypt nonpublic information.

DORA – ICT Risk Management Framework

Control ID: Article 10

The attack highlights deficiencies in the ICT risk management framework, indicating non-compliance with the requirement to establish a comprehensive risk management framework.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The use of valid accounts by attackers points to weaknesses in identity and access management, violating the principle of least privilege and access control.

NIS2 Directive – Incident Handling

Control ID: Article 21

The significant impact of the ransomware attack suggests inadequate incident handling capabilities, violating the requirement to establish incident response procedures.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

REvil ransomware targeted financial institutions with data exfiltration and encryption attacks, requiring enhanced egress security and zero trust segmentation controls.

Government Administration

Multiple Texas local governments fell victim to REvil attacks, highlighting critical need for multicloud visibility and threat detection capabilities.

Information Technology/IT

Kaseya supply-chain attack impacted 1,500 downstream businesses, demonstrating vulnerability of IT service providers to ransomware lateral movement techniques.

Health Care / Life Sciences

Healthcare sector faces high ransomware risk with HIPAA compliance requirements necessitating encrypted traffic protection and comprehensive anomaly detection systems.

Sources

German authorities identify REvil and GandCrab ransomware bosseshttps://www.bleepingcomputer.com/news/security/german-authorities-identify-revil-and-gangcrab-ransomware-bosses/
Verified

BKA Identifies REvil Leaders Behind 130 German Ransomware Attackshttps://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html

Verified

German authorities identify alleged leader of GandCrab and REvil ransomware gangshttps://www.scworld.com/brief/german-authorities-identify-alleged-leader-of-gandcrab-and-revil-ransomware-gangs

Verified

Frequently Asked Questions

The operations highlighted vulnerabilities in data protection and incident response protocols, emphasizing the need for organizations to adhere to frameworks like NIST and GDPR to mitigate such risks.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been constrained by limiting exposure of public-facing applications through embedded security controls.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict identity-aware access controls.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely have been constrained by segmenting east-west traffic and enforcing strict access controls.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels may have been disrupted by providing comprehensive visibility and control over network traffic.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts would likely have been constrained by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

The attacker's ability to encrypt critical data and systems may have been limited by restricting unauthorized access and segmenting critical assets.

Impact at a Glance

Affected Business Functions

Data Management
IT Operations
Customer Service
Financial Transactions

Operational Disruption

Estimated downtime: 14 days

Financial Impact

Estimated loss: $40,000,000

Data Exposure

Confidential business data, customer information, and financial records

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
• Utilize Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
• Establish Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

German Authorities Unmask Leaders Behind REvil and GandCrab Ransomware Attacks

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Phishing

Valid Accounts

Data Encrypted for Impact

Inhibit System Recovery

Command and Scripting Interpreter

Obfuscated Files or Information

Exfiltration Over C2 Channel

Application Layer Protocol

Potential Compliance Exposure

PCI DSS 4.0 – Malicious Software Prevention

NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Incident Handling

Sector Implications

Financial Services

Government Administration

Information Technology/IT

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads