UNKN Unmasked: Daniil Shchukin Identified as REvil and GandCrab Leader
For those of us living and working in Austin, the “Silicon Hills” vibe often makes us feel like we’re at the vanguard of digital security. But when you look at the wreckage left by the REvil ransomware gang, it becomes clear that no one—not even the local government offices just a few blocks from the Texas State Capitol—is truly invisible. The recent news out of Germany isn’t just another international police report; it’s the unmasking of the architects who turned cyber-extortion into a corporate-style enterprise, and it serves as a stark reminder that the threats targeting our local infrastructure often originate thousands of miles away in places like Krasnodar, Russia.
The Unmasking of UNKN and the REvil Empire
The German Federal Criminal Police, known as the BKA, recently pulled back the curtain on the identities of two Russian nationals who spearheaded some of the most aggressive ransomware operations in history. Daniil Maksimovich Shchukin, a 31-year-old who operated under the handle “UNKN” (or “UNKNOWN”), and 43-year-old Anatoly Sergeevitsch Kravchuk have been identified as the leaders of both GandCrab and REvil. Between 2019 and 2021, these two didn’t just write code; they managed a global extortion machine. In Germany alone, they are linked to 130 cases of computer sabotage, with total financial damages estimated to exceed $40 million.
Shchukin’s trajectory is a disturbing study in the “rags-to-riches” narrative of the dark web. In an interview with Dmitry Smilyanets of Recorded Future, Shchukin described a childhood of extreme poverty—scrounging through trash heaps and skipping meals for days—before transitioning into a millionaire through cybercrime. This personal drive for wealth fueled a highly professionalized approach to crime. Under Shchukin and Kravchuk, REvil (also known as Sodinokibi) didn’t operate like a group of lone hackers in a basement; they operated like a software company, utilizing a Ransomware-as-a-Service (RaaS) model. This meant they developed the malware and then recruited “affiliates” to carry out the actual infections, sharing the profits in a way that mirrored a legitimate franchise business.
From GandCrab to “Big Game Hunting”
The evolution from GandCrab to REvil marked a pivotal shift in how cybercriminals target organizations. GandCrab, which surfaced in early 2018, was already incredibly lucrative, with its operators claiming to have earned billions before “retiring” in mid-2019. However, REvil took those lessons and weaponized them further. They pioneered the practice of “double extortion.” Instead of simply locking a company’s files and demanding payment for a decryption key, they began stealing sensitive data first. If the victim refused to pay for the key, the gang threatened to leak the stolen documents on public auction sites, creating a secondary layer of pressure that made payment almost inevitable for many.
This strategy led to what experts call “big-game-hunting.” Rather than casting a wide net of small victims, REvil specifically targeted organizations with annual revenues exceeding $100 million. They weren’t just looking for vulnerable software; they were looking for “fat” cyber insurance policies. By targeting the insurance payout, they ensured that the victims had the means to pay massive ransoms. This cold, calculated approach impacted a wide array of targets, including the computer giant Acer and multiple local governments across Texas. The most devastating blow came during the July 4th weekend of 2021, when REvil targeted Kaseya, an IT operations company. This supply-chain attack rippled downward, impacting roughly 1,500 downstream victims including nonprofits and government agencies.
The downfall of the group began when the FBI managed to infiltrate REvil’s servers prior to the Kaseya attack. By releasing a free decryption key, the FBI stripped the gang of its primary leverage. While Shchukin is believed to still reside in Russia, the global effort to dismantle the network has seen seven individuals arrested and four members sentenced to prison as of 2024. Even the digital trail continues to be scrubbed, with the U.S. Department of Justice seeking the seizure of cryptocurrency accounts, including one tied to Shchukin containing over $317,000 in ill-gotten gains.
Securing the Local Perimeter in Austin
When we see the scale of damage caused by figures like Shchukin and Kravchuk, it’s easy to feel overwhelmed. However, the transition from “big game” to “protected target” requires a shift in how we handle cybersecurity risk management. In a tech-heavy hub like Austin, where the density of startups and government offices creates a unique attack surface, relying on basic antivirus software is no longer sufficient. The RaaS model proves that attackers are constantly evolving their “product” to bypass standard scanners.
Given my background in analyzing these systemic failures, if you are managing a business or a public entity in the Austin area and feel exposed to these types of evolving threats, you shouldn’t just look for a “computer guy.” You need a specialized defensive layer. If this trend impacts your operations, here are the three types of local professionals you should be engaging with to implement robust incident response protocols:
- Managed Security Service Providers (MSSPs) with 24/7 SOC Capabilities
- Don’t settle for a provider that only monitors your system during business hours. Look for an MSSP that operates a dedicated Security Operations Center (SOC) and has specific experience defending against RaaS (Ransomware-as-a-Service) attacks. They should be able to demonstrate how they hunt for “initial access brokers”—the specialists who sell entry points into networks to gangs like REvil.
- Digital Forensics and Incident Response (DFIR) Specialists
- In the event of a breach, you need a firm that doesn’t just “wipe and reload” your servers. Look for DFIR professionals who hold certifications like GCFE (GIAC Certified Forensic Examiner). Their job is to determine exactly how the attacker got in and, more importantly, whether data was exfiltrated for “double extortion” purposes, which changes your legal notification requirements.
- Cyber Insurance Brokers specializing in Extortion Law
- Since REvil specifically targeted insurance policies, your coverage needs to be precise. Seek out brokers who understand the nuances of “ransomware extortion” clauses. Ensure your policy doesn’t just cover the cost of recovery, but also provides access to vetted legal counsel and negotiators who can handle the complexities of dealing with international threat actors.
Ready to find trusted professionals? Browse our complete directory of top-rated alittlesunshine,neerdowellnews,ransomware,webfraud2.0,anatolysergeevitschkravchuk,danielgolden,daniilmaksimovichshchukin,dmitrysmilyanets,gandcrab,ger0in,germanfederalcriminalpolice,intel471,recordedfuture,reneedudley,revil,unkn experts in the Austin, TX area today.