# German Authorities Identify Leaders of REvil and GandCrab Ransomware Operations


Federal Police crack major ransomware investigation, linking Russian nationals to years of coordinated attacks worth billions


German federal law enforcement has achieved a significant breakthrough in international cybercrime investigations, identifying two Russian nationals allegedly responsible for leading the GandCrab and REvil ransomware operations—two of the most destructive and profitable criminal enterprises of the past decade. The identifications mark a turning point in the global effort to dismantle sophisticated ransomware-as-a-service (RaaS) networks that have targeted thousands of organizations worldwide, from small businesses to Fortune 500 companies and critical infrastructure providers.


## The Investigation and Identification


The Federal Police in Germany (BKA) has concluded its comprehensive investigation into the operators behind GandCrab and REvil, determining that the operations were orchestrated by Russian nationals working in coordination with various affiliates and support networks. While specific names remain subject to ongoing legal proceedings, the identification represents months of international intelligence sharing, forensic analysis, and collaboration with cybersecurity firms and law enforcement agencies across multiple countries.


The breakthrough follows years of pressure on ransomware operators, including coordinated takedown operations and arrests that began intensifying in 2021. The BKA's findings provide crucial attribution data that strengthens legal cases and contributes to the growing body of evidence linking major ransomware groups to specific individuals and networks operating from Russian territory.


## GandCrab: The Prolific Ransomware Pioneer


GandCrab emerged in early 2018 as one of the first major ransomware operations to adopt the "RaaS" business model, effectively franchising its malware to affiliates who conducted attacks and split profits with the core operators. The group was exceptionally prolific during its operational period (2018-2021), distributing its malware variant through multiple channels and compromising tens of thousands of systems globally.


Key characteristics of GandCrab operations:


  • Distribution scale: Infected over 1 million machines in its peak operational years
  • Ransom demands: Ranged from $300 to $600,000+ depending on target size and sector
  • Geographic targeting: Conducted opportunistic attacks globally with particular focus on North America and Europe
  • Affiliate network: Recruited hundreds of affiliates who conducted hands-on attacks using the malware
  • Operational period: Actively deployed variants from January 2018 through June 2021
  • Estimated revenue: Security researchers estimated billions in ransom payments across the operation's lifetime

    • The group maintained operational security through multiple rebranding efforts and continued innovation in evasion techniques. GandCrab's operators pioneered several tactics that became standard in the ransomware ecosystem: leveraging initial access brokers for network compromise, demanding payment in cryptocurrency, and publishing victim data to pressure payment.


    ## REvil: The High-Impact Successor


    REvil (also known as Sodinokibi) emerged in 2019 as arguably the most damaging ransomware operation in history. Operating as a pure RaaS platform, REvil provided malware and infrastructure to affiliates while maintaining operational control and establishing direct relationships with high-value victims.


    REvil's operational profile:


  • High-profile victims: Claimed responsibility for major attacks including:

    • - JBS Foods (June 2021) — $11 million ransom payment

    - Kaseya VSA (July 2021) — Compromised thousands of managed service providers

    - Apple supplier Quanta Services (August 2021) — $50 million demand

  • Revenue model: Distributed approximately 70% of ransoms to affiliates, retaining 30%
  • Innovation: Advanced encryption techniques, sophisticated exfiltration capabilities, and media manipulation tactics
  • Operational period: July 2019 through October 2021
  • Estimated damage: Billions in losses across affected organizations

    • REvil distinguished itself through aggressive negotiation tactics, public victim shaming, and coordinated pressure campaigns. The group operated a professional "support" system for affiliates, published a leak site with victim data, and maintained active communication channels with victims and media outlets.


    ## The Takedown Operations


    The identification of these operators follows the July 2021 law enforcement offensive that resulted in the temporary shutdown of REvil's infrastructure following the Kaseya supply chain attack. Russian law enforcement had conducted raids related to the investigation, though full arrests and prosecutions remained under investigation.


    The BKA's identification now provides crucial attribution that strengthens international prosecutions and demonstrates the persistence of law enforcement intelligence networks despite criminals' efforts at operational security. The investigation incorporated:


  • Forensic analysis of malware code and command-and-control infrastructure
  • Financial investigation tracking cryptocurrency transactions and laundering networks
  • Threat intelligence from private security firms monitoring these groups
  • International cooperation with agencies including the FBI, Europol, and other partners
  • Technical analysis of operational patterns, timing, and targeting behaviors

    • ## Broader Implications for Cybersecurity


    The identification of REvil and GandCrab operators represents several critical developments:


    1. Attribution improving: Law enforcement agencies are increasingly capable of linking specific individuals to major cybercrime operations, raising the operational risk for ransomware actors.


    2. RaaS model under pressure: The franchise model that made ransomware profitable and scalable is now facing unprecedented legal scrutiny and operational disruption.


    3. Sanctuary erosion: Historical assumptions about operational safety in Russia are being challenged by international cooperation and improved attribution capabilities.


    4. Supply chain targeting recognition: The Kaseya attack and others demonstrated the catastrophic potential of targeting service providers, leading to enhanced scrutiny of MSP security.


    ## Recommendations for Organizations


    In light of these developments, organizations should strengthen their cybersecurity posture:


  • Assume compromise: Implement zero-trust architecture and assume networks may be compromised
  • Backup strategy: Maintain offline, immutable backups separate from production networks
  • Segmentation: Isolate critical systems and implement network segmentation to limit lateral movement
  • Monitoring: Deploy robust threat detection and response capabilities to identify breach activity early
  • Incident planning: Develop and regularly test incident response procedures specifically for ransomware scenarios
  • Vendor security: Evaluate third-party service providers' security posture and supply chain protections
  • Law enforcement cooperation: Report attacks to law enforcement and remain engaged with information sharing initiatives

    • ## Conclusion


    The BKA's identification of REvil and GandCrab operators marks a watershed moment in the global fight against ransomware. While these specific individuals face justice, the broader ransomware ecosystem continues to evolve with new groups and variants emerging constantly. The success of this investigation demonstrates that despite the technical sophistication and operational discipline of major ransomware groups, law enforcement persistence, international cooperation, and forensic capabilities can deliver accountability.


    Organizations must recognize that these identifications, while significant, do not eliminate the ransomware threat—they merely demonstrate that actors face genuine legal consequences. This reality should inform corporate risk management strategies, pushing investment toward resilience, detection, and recovery capabilities alongside preventive controls.