UNKN Exposed: OPSEC Lessons from the REvil/GandCrab Takedown
Just saw the breaking news from Germany regarding the doxing of 'UNKN.' It looks like the BKA (German Federal Criminal Police) has officially named 31-year-old Daniil Maksimovich Shchukin as the alleged mastermind behind both GandCrab and REvil.
What catches my eye isn't just the attribution, but the sheer volume of specific 'computer sabotage' charges—130 victims in Germany alone between 2019 and 2021. We often talk about REvil in the context of Kaseya or JBS, but this highlights the long tail of mid-market extortion that often flies under the radar.
Since this involves historic IOCs related to GandCrab and REvil (Sodinokibi), it might be a good time to audit logs for dormant artifacts or historical persistence mechanisms if you have legacy data retention. While these active campaigns tapered off, the affiliates' infrastructure often stays dormant.
Here is a basic KQL query to hunt for historical indicators of the specific encryption processes or shadow copy deletion often associated with these gangs, just in case you need to check cold storage for forensic correlation:
DeviceProcessEvents
| where Timestamp between(datetime(2019-04-01) .. datetime(2021-07-01))
| where ProcessCommandLine has_all ("delete", "shadows") and FileName == "vssadmin.exe"
| join kind=inner (DeviceFileEvents
| where FileName endswith ".GDCB" or FileName endswith ".encrypted" or FileName endswith ".rvls"
) on DeviceId, Timestamp
| project DeviceName, Timestamp, FolderPath, InitiatingProcessFileName
The OPSEC failure here is massive. If the head of a RaaS operation that aggressive can be tied to real-world identity this late in the game, it changes the risk calculus for current operators. Do you guys think this indictment is mostly symbolic, or does the BKA actually have enough on the hardware/crypto side to impact current Russian cybercrime ecosystems?
This is massive for attribution, but I'm skeptical about the immediate operational impact. Shchukin has likely been out of the game or moved to purely advisory roles since the REvil takedown in 2021. The real value here is mapping the social graph. Now that we have a name for UNKN, we can likely cross-reference travel records and financial transactions to find the current crop of affiliates who split off to form newer groups like Black Basta or LockBit.
I ran a quick check against our SIEM logs using a variation of your query. We didn't find active encryption, but we did see some suspicious vssadmin calls from 2020 on a legacy server that was decommissioned last year. It turned out to be a scripted backup job, but it's a good reminder that these TTPs (Shadow Copy deletion) are common in both legit admin scripts and ransomware. Context is king.
From a pentester's perspective, the shift to RaaS made tracking hard, but it also created more failure points. Every affiliate is a potential leak. It seems like UNKN's downfall wasn't just technical OPSEC but likely human intelligence from within the affiliate network. If you are running a crimeware shop, you have to trust your 'employees,' and that's always the Achilles' heel.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access