Back to Intelligence

REvil and GandCrab Attribution: Detecting TTPs of the UNKN Operation

SA
Security Arsenal Team
April 14, 2026
6 min read

In a significant victory for the cyber defense community, German authorities have finally unmasked the elusive actor known as "UNKN." The Federal Prosecutor's Office in Germany has identified 31-year-old Russian national Daniil Maksimovich Shchukin as the alleged ringleader behind two of the most destructive ransomware operations in recent history: GandCrab and REvil (Sodinokibi).

Shchukin is accused of orchestrating at least 130 acts of computer sabotage and extortion between 2019 and 2021. While this identification is a massive step in attribution, the technical reality is that the code, infrastructure, and TTPs developed under his leadership persist in the wild. Defenders must act now to hunt for residual indicators of these specific families and harden environments against the attack vectors these gangs popularized.

Technical Analysis

Threat Overview: The attribution centers on the "UNKN" persona, the architect of the GandCrab Ransomware-as-a-Service (RaaS) model and its successor, REvil. These operations were responsible for hundreds of millions of dollars in extortion.

Attack Chain and Methodology:

  • GandCrab: Typically distributed via exploit kits (GrandSoft), phishing campaigns, and compromised RDP credentials. It was prolific for its use of legitimate system tools (like PowerShell) to disable security software and encrypt files.
  • REvil (Sodinokibi): Evolved from GandCrab, notorious for "Big Game Hunting" and exploiting vulnerabilities in enterprise software (e.g., Kaseya VSA, Pulse Secure, ProxyShell). It utilizes a sophisticated combination of initial access brokers, manual lateral movement, and automated encryption.

Key Indicators of Compromise (IOCs): While specific infrastructure shifts, the behavioral artifacts remain consistent:

  • Ransom Notes:
    • GandCrab: GANDCRAB DECRYPTOR.html, GANDCRAB DECRYPTOR.txt, or files with .GDCB/.CRAB extensions.
    • REvil: _README_.TXT, _README_.hta (often dropped in every folder), or file extensions with random 5-6 character alpha-numeric sequences (e.g., .A5F3E).
  • Persistence: REvil often creates a registry key to track the encryption status or maintain persistence: HKCU\Software\[Random CLSID] or HKCU\Software\REvil.
  • Mutexes: GandCrab variants historically used mutexes like Global\GdPb{Random}. REvil often utilizes Global\MsWinZzsCacheLockMutex.

Exploitation Status: These are established, commodity threats. While the specific campaigns referenced in the German indictment occurred between 2019-2021, the source code and variants have leaked and been re-incorporated into new payloads. Active exploitation of these specific TTPs is ongoing via copycat actors.

Detection & Response

Sigma Rules

The following rules target the specific artifact creation and persistence mechanisms associated with the GandCrab and REvil families under Shchukin's operation.

YAML
---
title: Potential GandCrab Ransomware Note Creation
id: 9e8b1d2c-4a5f-4b3c-8d9e-1a2b3c4d5e6f
status: experimental
description: Detects the creation of GandCrab ransomware notes (html/txt) which are specific artifacts left by the gang led by UNKN.
references:
  - https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - 'GANDCRAB'
      - 'DECRYPT'
    TargetFilename|endswith:
      - '.html'
      - '.txt'
  condition: selection
falsepositives:
  - Legitimate administrative scripts (rare)
level: critical
---
title: REvil (Sodinokibi) Ransomware Note Creation
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the creation of the characteristic _README_ ransom note used by REvil to instruct victims on payment.
references:
  - https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|endswith:
      - '_README_.TXT'
      - '_README_.hta'
      - '_README_.URL'
  condition: selection
falsepositives:
  - Legitimate readme files in software directories
level: critical
---
title: REvil Registry Persistence Indicator
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects registry key creation or modification consistent with REvil persistence mechanisms observed in UNKN-linked campaigns.
references:
  - https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: registry_add
  product: windows
detection:
  selection:
    TargetObject|contains:
      - '\Software\REvil'
      - '\Software\Microsoft\Windows\CurrentVersion\RunOnce\'
    Details|contains:
      - 'decrypt'
      - 'restore'
  condition: selection
falsepositives:
  - Unknown
level: high

KQL (Microsoft Sentinel / Defender)

Hunt for the specific file artifacts and the rapid file modification patterns associated with these ransomware families.

KQL — Microsoft Sentinel / Defender
// Hunt for GandCrab and REvil ransom note artifacts
DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName in~ ("GANDCRAB DECRYPTOR.html", "GANDCRAB DECRYPTOR.txt", "_README_.TXT", "_README_.hta")
   or FolderPath contains "GANDCRAB"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, SHA256
| extend SuspiciousScore = iff(FileName contains "GANDCRAB" or FileName contains "_README_", 10, 0)
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of specific ransom notes and checks for the mutex commonly associated with REvil.

VQL — Velociraptor
-- Hunt for UNKN-linked Ransomware Artifacts
SELECT 
  FullPath,
  Size,
  Mtime,
  Atime,
  Btime
FROM glob(globs=C:/Users/**/*)
WHERE 
  Name =~ "GANDCRAB.*" 
  OR Name =~ "_README_.*" 
  OR Name =~ "*.CRAB"
  OR Name =~ "*.GDCB"

-- Hunt for REvil Mutex (requires admin/sysmon)
SELECT 
  Pid, Name, CommandLine
FROM pslist()
WHERE 
  Name =~ ".*" 
  AND grep(query='MsWinZzsCacheLockMutex', string=CommandLine)

Remediation Script (PowerShell)

Use this script to scan for indicators of GandCrab or REvil activity on an endpoint.

PowerShell
<#
.SYNOPSIS
    Security Arsenal Incident Response - Scan for UNKN/REvil/GandCrab IOCs.
.DESCRIPTION
    Scans file system for specific ransom notes and registry for persistence keys.
#>

Write-Host "[+] Starting scan for REvil/GandCrab IOCs..." -ForegroundColor Cyan

# 1. Scan for Ransom Notes
$paths = @("C:\Users\", "C:\ProgramData\", "D:\")
$indicators = @("*_README_.*", "*GANDCRAB*", "*.CRAB", "*.GDCB")
$found = $false

foreach ($path in $paths) {
    if (-not (Test-Path $path)) { continue }
    Write-Host "[+] Scanning $path..." -ForegroundColor Gray
    foreach ($ind in $indicators) {
        try {
            $files = Get-ChildItem -Path $path -Filter $ind -Recurse -ErrorAction SilentlyContinue -Force
            if ($files) {
                $found = $true
                foreach ($file in $files) {
                    Write-Host "[!] THREAT DETECTED: $($file.FullName)" -ForegroundColor Red
                }
            }
        } catch {
            # Ignore access denied errors
        }
    }
}

# 2. Scan Registry for REvil Persistence
Write-Host "[+] Scanning Registry..." -ForegroundColor Gray
$regPaths = @("Registry::\HKEY_CURRENT_USER\Software", "Registry::\HKEY_LOCAL_MACHINE\Software")
foreach ($regPath in $regPaths) {
    try {
        $keys = Get-ChildItem -Path $regPath -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -like "*REvil*" -or $_.Name -like "*GandCrab*" }
        if ($keys) {
            $found = $true
            foreach ($key in $keys) {
                Write-Host "[!] REGISTRY THREAT DETECTED: $($key.Name)" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access denied errors
    }
}

if (-not $found) {
    Write-Host "[+] No specific IOCs found. System appears clean of these specific artifacts." -ForegroundColor Green
} else {
    Write-Host "[!] CRITICAL: IOCs detected. Isolate host immediately and begin IR procedures." -ForegroundColor Red
}

Remediation

Immediate containment and eradication are required if these indicators are found:

  1. Isolation: Immediately disconnect the infected host from the network (pull ethernet or disable Wi-Fi) to prevent lateral movement. REvil is notorious for spreading via SMB (PsExec/WMI).
  2. Terminate Malicious Processes: Identify and terminate the process responsible for the encryption. REvil often spawns svchost.exe or explorer.exe from suspicious paths (e.g., C:\Windows\Temp\).
  3. Remove Persistence:
    • Delete the ransom notes (_README_.TXT, etc.).
    • Remove the registry keys identified in the hunt script (e.g., HKCU\Software\REvil).
  4. Patch External Facing Services: REvil historically exploited vulnerabilities in VPNs (Pulse Secure, Fortinet) and web servers (Oracle WebLogic, SharePoint). Ensure all external perimeter devices are patched against the "ProxyShell" and "PrintNightmare" families of vulnerabilities.
  5. Credential Reset: Assume credentials were stolen. Reset all admin and user credentials on the affected segment.
  6. Restore: Re-image the machine from a known-good backup. Do not attempt to use the decryptor provided by the attackers, even if identified, as analysis suggests failure rates in GandCrab/REvil decryptors are non-trivial.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsrevilgandcrabdfirsocthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action