# German Police Apprehend REvil Ransomware Leader Allegedly Responsible for $2 Million in Extortion


In a significant victory for international law enforcement, German police have unmasked and apprehended a key figure behind two of the cybercriminal underworld's most notorious ransomware operations: GandCrab and REvil. The suspect, identified as Shchukin, stands accused of orchestrating ransomware attacks that resulted in more than $2 million in illicit extortion payments, marking a landmark breakthrough in the ongoing battle against ransomware-as-a-service (RaaS) operations.


## The Arrest and Accusations


German law enforcement officials have detained the individual identified as Shchukin on charges related to his leadership role in coordinating ransomware operations spanning multiple continents. Investigators allege that Shchukin served as a primary operator and organizer for both the GandCrab and REvil ransomware families, two of the most destructive and financially successful ransomware operations in recent cybersecurity history. The arrest represents the culmination of extensive international collaboration between German authorities and law enforcement agencies from multiple countries, highlighting the growing commitment to dismantling sophisticated cybercriminal networks.


The €2 million figure—approximately $2 million USD—represents only the documented ransom payments that investigators could directly attribute to Shchukin's operations. Cybersecurity experts suggest the actual financial impact is likely substantially higher when accounting for:


  • Indirect damages from system downtime and recovery operations
  • Remediation costs incurred by victim organizations
  • Lost productivity during incident response
  • Data breach notification expenses and regulatory fines
  • Undocumented payments made to threat actors

    • ## Background: GandCrab and REvil's Reign


    To understand the significance of Shchukin's apprehension, it is essential to recognize the destructive legacy of both ransomware operations.


    ### GandCrab: The Original RaaS Pioneer


    GandCrab emerged in early 2018 and quickly established itself as one of the first highly successful ransomware-as-a-service operations. Rather than conducting attacks independently, the operation functioned as a platform, offering ransomware code and infrastructure to affiliated attackers in exchange for a percentage of ransom payments—typically 30%.


    GandCrab's impact was immediate and widespread:

  • Hundreds of organizations across government, healthcare, finance, and critical infrastructure sectors were targeted
  • The operation reportedly generated tens of millions of dollars in ransom payments
  • The malware was notably aggressive in its extortion tactics and ransom demands
  • Victims ranged from small local businesses to large multinational corporations

    • The operation officially ceased activities in 2019, with operators claiming to have earned sufficient profits and citing law enforcement pressure as a motivating factor.


    ### REvil: The Successor


    REvil (also known as Sodinokibi) emerged in 2019 and essentially inherited GandCrab's infrastructure, code, and affiliate network. REvil became even more aggressive and profitable than its predecessor:


  • Scale of operations: REvil was estimated to have extracted over $100 million in ransom payments
  • High-profile victims: The operation targeted major corporations including JBS Foods, Kaseya, and numerous critical infrastructure providers
  • Double extortion tactics: REvil pioneered the practice of stealing data before encryption, then threatening to publish sensitive information if ransoms weren't paid
  • Sophisticated attacks: REvil demonstrated advanced technical capabilities, including supply chain compromises and zero-day exploitation

    • REvil's notoriety peaked in 2021 with the Kaseya attack, which affected thousands of businesses globally through a compromised software update. The operation subsequently went dark following U.S. law enforcement activity and alleged cryptocurrency seizures, though security researchers have observed potential rebranding efforts.


    ## Technical and Operational Methods


    Shchukin's operations employed sophisticated tactics that evolved over the years. Investigators have identified several hallmarks of his approach:


    | Tactic | Description |

    |--------|-------------|

    | Initial Access | Phishing campaigns, vulnerable RDP servers, managed service provider compromises |

    | Lateral Movement | Exploitation of unpatched systems and weak credential hygiene |

    | Data Exfiltration | Theft of sensitive documents before encryption to force payment |

    | Encryption Deployment | Rapid encryption of critical systems to maximize pressure on victims |

    | Extortion | Dual-channel threats combining data publication and system restoration denial |


    The technical sophistication of REvil's infrastructure included:

  • Custom-developed encryption algorithms
  • Bulletproof hosting across multiple jurisdictions
  • Cryptocurrency laundering mechanisms
  • Backup command-and-control infrastructure
  • Evasion techniques against security products

    • ## The International Law Enforcement Effort


    Shchukin's identification and capture resulted from coordinated efforts spanning multiple agencies and countries. German law enforcement led the investigation in partnership with:


  • International law enforcement bodies (Europol, Interpol)
  • U.S. federal agencies (FBI, Cybersecurity and Infrastructure Security Agency)
  • Other national cybercrime units
  • Private cybersecurity firms that provided intelligence and forensic analysis

    • The investigation reportedly involved:

  • Cryptocurrency analysis to trace ransom payments through blockchain transactions
  • Technical forensics linking attacks to specific infrastructure and malware variants
  • Intelligence sharing across borders to build a comprehensive picture of operations
  • Undercover operations infiltrating criminal forums and affiliate networks
  • OSINT collection correlating public threat intelligence with operational indicators

    • ## Implications for Organizations and the Cybersecurity Landscape


    Shchukin's apprehension carries important implications:


    For Ransomware Operations: The arrest demonstrates that even sophisticated cybercriminals operating across borders face meaningful risk of identification and prosecution. This may deter some threat actors and increase operational security burdens on others.


    For Victim Organizations: While capturing one operator does not eliminate ransomware threats, it signals that law enforcement is capable of attributing attacks and pursuing perpetrators aggressively.


    For Law Enforcement: The arrest validates international cooperation strategies and demonstrates the feasibility of disrupting large-scale cybercriminal enterprises through sustained investigation.


    For Cryptocurrency Monitoring: The case underscores how blockchain analysis can connect attackers to their financial proceeds, complicating money laundering efforts.


    ## Recommendations for Organizations


    Organizations should treat this arrest as a reminder that ransomware threats remain persistent. Recommended defensive measures include:


    Immediate Actions:

  • Audit privileged account access and enforce strong authentication
  • Patch all systems with known security vulnerabilities
  • Review and harden remote access endpoints (RDP, VPN)
  • Segment networks to limit lateral movement

    • Ongoing Practices:

  • Implement continuous monitoring and threat detection
  • Maintain immutable backup copies stored offline
  • Conduct regular penetration testing and vulnerability assessments
  • Develop and test incident response plans
  • Provide cybersecurity awareness training to all employees

    • Threat Intelligence:

  • Subscribe to threat intelligence feeds tracking REvil variants and successors
  • Monitor for indicators of compromise associated with known REvil campaigns
  • Participate in industry information sharing groups

    • ## Conclusion


    The apprehension of Shchukin represents a meaningful victory against ransomware operations that caused documented damage exceeding $2 million and likely hundreds of millions more when accounting for indirect costs. While this arrest will not eliminate ransomware as a threat, it demonstrates that international law enforcement is increasingly capable of identifying, attributing, and prosecuting sophisticated cybercriminals. Organizations must view this development as motivation to strengthen defenses and prepare for a landscape where ransomware threats remain persistent despite increased law enforcement activity.