The Rise of UNKNOWN and the GandCrab Affiliate Program

The GandCrab ransomware first emerged in January 2018, quickly gaining notoriety for its aggressive affiliate program. This program incentivized hackers to infiltrate corporate networks, offering substantial payouts for successful breaches. Once inside, the GandCrab team would expand access, exfiltrating sensitive data and deploying the ransomware itself. Five major revisions to the GandCrab code were released, each designed to evade detection by security firms and enhance its malicious capabilities.

In July 2019, GandCrab abruptly announced its shutdown, boasting of over $2 billion in extorted funds. The group’s farewell message was a chilling testament to their success, proclaiming, “We are a living proof that you can do evil and get off scot-free.”

From GandCrab to REvil: A Seamless Transition

Almost immediately following GandCrab’s demise, a new ransomware operation, REvil, surfaced. Fronted by a user named UNKNOWN, the group signaled its intent by depositing $1 million into the escrow of a prominent Russian cybercrime forum. Cybersecurity experts quickly concluded that REvil was, in essence, a reorganization of the GandCrab infrastructure and personnel.

UNKNOWN’s story, as revealed in an interview with Dmitry Smilyanets of Recorded Future, is a stark illustration of the motivations driving cybercriminals. He recounted a difficult childhood marked by poverty, contrasting it sharply with his newfound wealth. “As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN stated. “Now I am a millionaire.”

The success of REvil wasn’t simply about technical prowess. As detailed in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil adopted business-like practices, outsourcing tasks and reinvesting profits to improve their operations. This included utilizing “cryptor” providers to bypass anti-malware scanners, “initial access brokers” to gain entry into networks, and Bitcoin “tumblers” to launder ransom payments.

REvil quickly evolved into a “big-game hunting” operation, targeting organizations with substantial revenues and robust cyber insurance policies. Their attacks were characterized by high demands and the threat of data publication – a tactic known as double extortion.

The Kaseya Attack and the FBI’s Intervention

The July 4, 2021, attack on Kaseya, a managed service provider, stands as a particularly devastating example of REvil’s capabilities. By compromising Kaseya’s systems, the ransomware gang gained access to over 1,500 downstream businesses, nonprofits, and government agencies. The FBI had infiltrated REvil’s servers prior to the attack but was unable to act immediately without compromising their investigation. Ultimately, the FBI released a decryption key, effectively dismantling REvil’s operations.

Identifying Shchukin: From Online Alias to Real Name

The German Federal Criminal Police (BKA) officially named Daniil Maksimovich Shchukin as UNKNOWN in a recent advisory (BKA advisory). Shchukin, originally from Krasnodar, Russia, is believed to still reside there. The BKA also linked Shchukin to another Russian national, Anatoly Sergeevitsch Kravchuk, alleging their joint involvement in numerous cyberattacks.

Further investigation revealed a connection between Shchukin and the online alias “Ger0in,” who operated botnets and sold “installs” – access to compromised computers – in the early 2010s. While the timeline doesn’t perfectly align, the link suggests a long history of cybercriminal activity. A review of images released by the BKA matched Shchukin’s likeness to photos from a 2023 birthday celebration (birthday celebration photos).

A February 2023 filing by the U.S. Justice Department (U.S. Justice Department filing) sought the seizure of cryptocurrency accounts linked to REvil, revealing that a digital wallet associated with Shchukin held over $317,000 in illicit funds.

What role will international cooperation play in bringing individuals like Shchukin to justice, given the challenges of extradition and differing legal frameworks?

How can organizations better prepare for and respond to ransomware attacks, minimizing the potential for disruption and financial loss?

Frequently Asked Questions About the REvil and GandCrab Hacker

Who is Daniil Shchukin and what ransomware groups is he linked to? Daniil Maksimovich Shchukin is a 31-year-old Russian national identified by German authorities as the alleged leader of the GandCrab and REvil ransomware groups, operating under the online alias ‘UNKNOWN’.

What is ‘double extortion’ as used by ransomware groups like REvil? Double extortion involves not only encrypting a victim’s data but also stealing it and threatening to publish it publicly if the ransom is not paid, increasing the pressure on victims.

How did the FBI disrupt the REvil ransomware operation? The FBI infiltrated REvil’s servers prior to the Kaseya attack and, after the attack, released a free decryption key, effectively dismantling the group’s operations.

What was the significance of the Kaseya ransomware attack? The Kaseya attack was particularly damaging because Kaseya provided IT services to over 1,500 businesses, nonprofits, and government agencies, amplifying the impact of the ransomware.

What is the connection between GandCrab and REvil ransomware? Cybersecurity experts believe REvil was largely a reorganization of the GandCrab operation, with many of the same individuals and infrastructure being repurposed.

How did UNKNOWN describe his rise to wealth? UNKNOWN described a difficult childhood marked by poverty, contrasting it with his current wealth, stating he went from ‘scrounging through the trash heaps’ to becoming a millionaire.