Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab – Krebs on Safety

An elusive hacker who glided by the deal with “UNKN” and ran the early Russian ransomware teams GandCrab and REvil now has a reputation and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed each cybercrime gangs and helped perform at the least 130 acts of pc sabotage and extortion towards victims throughout the nation between 2019 and 2021.

Shchukin was named as UNKN (a.ok.a. UNKNOWN) in an advisory revealed by the German Federal Felony Police (the “Bundeskriminalamt” or BKA for brief). The BKA stated Shchukin and one other Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted practically $2 million euros throughout two dozen cyberattacks that prompted greater than 35 million euros in whole financial injury.

Daniil Maksimovich SHCHUKIN, a.ok.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware teams.

Germany’s BKA stated Shchukin acted as the pinnacle of one of many largest worldwide working ransomware teams GandCrab and REvil, which pioneered the apply of double extortion — charging victims as soon as for a key wanted to unlock hacked methods, and a separate cost in alternate for a promise to not publish stolen knowledge.

Shchukin’s identify appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Division in search of the seizure of assorted cryptocurrency accounts related to proceeds from the REvil ransomware gang’s actions. The federal government stated the digital pockets tied to Shchukin contained greater than $317,000 in ill-gotten cryptocurrency.

The GandCrab ransomware associates program first surfaced in January 2018, and paid enterprising hackers enormous shares of the earnings only for hacking into person accounts at main firms. The GandCrab staff would then attempt to broaden that entry, typically siphoning huge quantities of delicate and inside paperwork within the course of. The malware’s curators shipped 5 main revisions to the GandCrab code, every corresponding with sneaky new options and bug fixes geared toward thwarting the efforts of pc safety companies to stymie the unfold of the malware.

On Might 31, 2019, the GandCrab staff announced the group was shutting down after extorting greater than $2 billion from victims. “We’re a dwelling proof that you are able to do evil and get off scot-free,” GandCrab’s farewell tackle famously quipped. “We now have proved that one could make a lifetime of cash in a single 12 months. We now have proved you could turn into primary by normal admission, not in your individual conceit.”

The REvil ransomware associates program materialized across the identical as GandCrab’s demise, fronted by a person named UNKNOWN who introduced on a Russian cybercrime discussion board that he’d deposited $1 million within the discussion board’s escrow to point out he meant enterprise. By this time, many cybersecurity consultants had concluded REvil was little greater than a reorganization of GandCrab.

UNKNOWN additionally gave an interview to Dmitry Smilyanets, a former malicious hacker employed by Recorded Future, whereby UNKNOWN described a rags-to-riches story unencumbered by ethics and morals.

“As a baby, I scrounged by the trash heaps and smoked cigarette butts,” UNKNOWN advised Recorded Future. “I walked 10 km one method to the varsity. I wore the identical garments for six months. In my youth, in a communal condominium, I didn’t eat for 2 and even three days. Now I’m a millionaire.”

As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested vital earnings into bettering their success and mirroring practices of legit companies. The authors wrote:

“Simply as a real-world producer may rent different corporations to deal with logistics or internet design, ransomware builders more and more outsourced duties past their purview, focusing as an alternative on bettering the standard of their ransomware. The upper high quality ransomware—which, in lots of circumstances, the Searching Group couldn’t break—resulted in additional and better pay-outs from victims. The monumental funds enabled gangs to reinvest of their enterprises. They employed extra specialists, and their success accelerated.”

“Criminals raced to affix the booming ransomware financial system. Underworld ancillary service suppliers sprouted or pivoted from different prison work to satisfy builders’ demand for personalized assist. Partnering with gangs like GandCrab, ‘cryptor’ suppliers ensured ransomware couldn’t be detected by normal anti-malware scanners. ‘Preliminary entry brokerages’ specialised in stealing credentials and discovering vulnerabilities in goal networks, promoting that entry to ransomware operators and associates. Bitcoin “tumblers” supplied reductions to gangs that used them as a most popular vendor for laundering ransom funds. Some contractors had been open to working with any gang, whereas others entered unique partnerships.”

REvil would evolve right into a feared “big-game-hunting” machine able to extracting hefty extortion funds from victims, largely going after organizations with greater than $100 million in annual revenues and fats new cyber insurance coverage insurance policies that had been identified to pay out.

Over the July 4, 2021 weekend in america, REvil hacked into and extorted Kaseya, an organization that dealt with IT operations for greater than 1,500 companies, nonprofits and authorities businesses. The FBI would later announce they’d infiltrated the ransomware group’s servers previous to the Kaseya hack however couldn’t tip their hand on the time. REvil by no means recovered from that core compromise, or from the FBI’s launch of a free decryption key for REvil victims who couldn’t or didn’t pay.

Shchukin is from Krasnodar, Russia and is assumed to reside there, the BKA stated.

“Primarily based on the investigations up to now, it’s assumed that the wished individual is overseas, presumably in Russia,” the BKA suggested. “Journey behaviour can’t be dominated out.”

There may be little that connects Shchukin to UNKNOWN’s varied accounts on the Russian crime boards. However a evaluate of the Russian crime boards listed by the cyber intelligence agency Intel 471 exhibits there’s lots connecting Shchukin to a hacker identification referred to as “Ger0in” who operated massive botnets and offered “installs” — permitting different cybercriminals to quickly deploy malware of their option to 1000’s of PCs in a single go. Nevertheless, Ger0in was solely lively between 2010 and 2011, nicely earlier than UNKNOWN’s look because the REvil entrance man.

A evaluate of the mugshots launched by the BKA on the picture comparability website Pimeyes discovered a match on this birthday celebration from 2023, which contains a younger man named Daniel sporting the identical fancy watch as within the BKA images.

Pictures from Daniil Shchukin’s party celebration in Krasnodar in 2023.

Replace, April 6, 12:06 p.m. ET: A reader forwarded this English-dubbed audio recording from a ccc.de (37C3) convention speak in Germany from 2023 that beforehand outed Shchukin because the REvil chief (Shchuckin is talked about at round 24:25).