An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.
Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.
Daniil Maksimovich SHCHUKIN, a.k.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware groups.
Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.
Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities. The government said the digital wallet tied to Shchukin contained more than $317,000 in ill-gotten cryptocurrency.
The GandCrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations. The GandCrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process. The malware’s curators shipped five major revisions to the GandCrab code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.
On May 31, 2019, the GandCrab team announced the group was shutting down after extorting more than $2 billion from victims. “We are a living proof that you can do evil and get off scot-free,” GandCrab’s farewell address famously quipped. “We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”
The REvil ransomware affiliate program materialized around the same as GandCrab’s demise, fronted by a user named UNKNOWN who announced on a Russian cybercrime forum that he’d deposited $1 million in the forum’s escrow to show he meant business. By this time, many cybersecurity experts had concluded REvil was little more than a reorganization of GandCrab.
UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.
“As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. “I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”
As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested significant earnings into improving their success and mirroring practices of legitimate businesses. The authors wrote:
“Just as a real-world manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware. The higher quality ransomware—which, in many cases, the Hunting Team could not break—resulted in more and higher pay-outs from victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.”
“Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted or pivoted from other criminal work to meet developers’ demand for customized support. Partnering with gangs like GandCrab, ‘cryptor’ providers ensured ransomware could not be detected by standard anti-malware scanners. ‘Initial access brokerages’ specialized in stealing credentials and finding vulnerabilities in target networks, selling that access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to working with any gang, while others entered exclusive partnerships.”
REvil would evolve into a feared “big-game-hunting” machine capable of extracting hefty extortion payments from victims, largely going after organizations with more than $100 million in annual revenues and fat new cyber insurance policies that were known to pay out.
Over the July 4, 2021 weekend in the United States, REvil hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits and government agencies. The FBI would later announce they’d infiltrated the ransomware group’s servers prior to the Kaseya hack but couldn’t tip their hand at the time. REvil never recovered from that core compromise, or from the FBI’s release of a free decryption key for REvil victims who couldn’t or didn’t pay.
Shchukin is from Krasnodar, Russia and is thought to reside there, the BKA said.
“Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA advised. “Travel behaviour cannot be ruled out.”
There is little that connects Shchukin to UNKNOWN’s various accounts on the Russian crime forums. But a review of the Russian crime forums indexed by the cyber intelligence firm Intel 471 shows there is plenty connecting Shchukin to a hacker identity called “Ger0in” who operated large botnets and sold “installs” — allowing other cybercriminals to rapidly deploy malware of their choice to thousands of PCs in one go. However, Ger0in was only active between 2010 and 2011, well before UNKNOWN’s appearance as the REvil front man.
A review of the mugshots released by the BKA at the image comparison site Pimeyes found a match on this birthday celebration from 2023, which features a young man named Daniel wearing the same fancy watch as in the BKA photos.
Images from Daniil Shchukin’s birthday party celebration in Krasnodar in 2023.
Update, April 6, 12:06 p.m. ET: A reader forwarded this English-dubbed audio recording from a ccc.de (37C3) conference talk in Germany from 2023 that previously outed Shchukin as the REvil leader (Shchuckin is mentioned at around 24:25).
The idea of a “Great British Firewall” makes for a catchy headline, but it would be riddled with holes and cause huge problems.
The Guardian reports that the GCHQ (Government Communications Headquarters), a UK intelligence, security, and cyber agency, is exploring the idea of a British firewall offering protection against malicious hackers. It falls within its remit, but one of the measures reportedly discussed—banning VPN software—raises practical and technical questions.
Here’s what you actually need to know, and why you shouldn’t panic about your VPN just yet.
So what may happen is tighter controls around minors, and perhaps pressure on app stores and platforms, rather than a blanket prohibition for adults.
Technically speaking, these are some of the measures available to address VPNs bypassing geo-blocking and local legislation.
All of these are “making it harder” tactics rather than a hard technical kill switch.
To comprehensively block VPNs, the government would need to require internet providers to inspect traffic, restrict apps from app stores, and attempt to cut off access to thousands of VPN servers worldwide. That would be a massive, expensive, and deeply complicated undertaking—and it still wouldn’t work.
Modern VPNs are designed to look very similar to normal web browsing. When you load a website over HTTPS (the padlock in your browser) and when you connect to a VPN, the traffic flowing through your internet connection looks almost identical. Reliably telling them apart is a bit like trying to spot which cars on a motorway are taxis versus private vehicles based solely on their tire tread patterns at motorway speed, for every car, in real time. You’d end up accidentally blocking huge amounts of perfectly ordinary internet traffic in the attempt.
VPNs aren’t just for privacy-conscious consumers. They’re how millions of people securely connect to their workplace from home. The NHS (the UK’s National Health Service) uses them for remote access. Journalists use them to protect sources. Researchers use them to access academic resources. Any serious enforcement effort would have to grapple with the risk of collateral damage to businesses and public services.
Even if the government successfully blocked every major commercial VPN app and service, technically skilled users could simply rent a cheap server anywhere in the world and set up their own private tunnel in under ten minutes. There are also tools designed to evade exactly this kind of blocking, disguising encrypted traffic as ordinary web activity.
We know this because Russia has been trying to block VPNs for years, using the full weight of state enforcement behind it. But VPN usage in Russia has surged, not declined. Blocked services pop up under new names and addresses and new tools emerge overnight. This track record suggests that long-term, comprehensive suppression is difficult, even with aggressive powers of enforcement.
The government can probably make consumer VPN use slightly more inconvenient, removing apps from UK app stores, for instance, or creating legal grey areas for certain uses. But a genuine, technical ban on VPN software and encrypted connections is not realistically achievable without causing serious collateral damage to the UK’s digital economy and the millions of people who depend on this technology for entirely legitimate reasons.
Don’t ditch your VPN. The Great Firewall of Great Britain isn’t coming. And if it tried, it would have more holes than a fishing net.
Hat tip to Stefan Dasic and the Malwarebytes VPN team for their invaluable input.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software. This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.
Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024. According to Satnam Narang at Tenable, this year marks the second consecutive year that Microsoft patched over one thousand vulnerabilities, and the third time it has done so since its inception.
The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions. The weakness resides in a component called the “Windows Cloud Files Mini Filter Driver” — a system driver that enables cloud applications to access file system functionalities.
“This is particularly concerning, as the mini filter is integral to services like OneDrive, Google Drive, and iCloud, and remains a core Windows component, even if none of those apps were installed,” said Adam Barnett, lead software engineer at Rapid7.
Only three of the flaws patched today earned Microsoft’s most-dire “critical” rating: Both CVE-2025-62554 and CVE-2025-62557 involve Microsoft Office, and both can exploited merely by viewing a booby-trapped email message in the Preview Pane. Another critical bug — CVE-2025-62562 — involves Microsoft Outlook, although Redmond says the Preview Pane is not an attack vector with this one.
But according to Microsoft, the vulnerabilities most likely to be exploited from this month’s patch batch are other (non-critical) privilege escalation bugs, including:
–CVE-2025-62458 — Win32k
–CVE-2025-62470 — Windows Common Log File System Driver
–CVE-2025-62472 — Windows Remote Access Connection Manager
–CVE-2025-59516 — Windows Storage VSP Driver
–CVE-2025-59517 — Windows Storage VSP Driver
Kev Breen, senior director of threat research at Immersive, said privilege escalation flaws are observed in almost every incident involving host compromises.
“We don’t know why Microsoft has marked these specifically as more likely, but the majority of these components have historically been exploited in the wild or have enough technical detail on previous CVEs that it would be easier for threat actors to weaponize these,” Breen said. “Either way, while not actively being exploited, these should be patched sooner rather than later.”
One of the more interesting vulnerabilities patched this month is CVE-2025-64671, a remote code execution flaw in the Github Copilot Plugin for Jetbrains AI-based coding assistant that is used by Microsoft and GitHub. Breen said this flaw would allow attackers to execute arbitrary code by tricking the large language model (LLM) into running commands that bypass the user’s “auto-approve” settings.
CVE-2025-64671 is part of a broader, more systemic security crisis that security researcher Ari Marzuk has branded IDEsaster (IDE stands for “integrated development environment”), which encompasses more than 30 separate vulnerabilities reported in nearly a dozen market-leading AI coding platforms, including Cursor, Windsurf, Gemini CLI, and Claude Code.
The other publicly-disclosed vulnerability patched today is CVE-2025-54100, a remote code execution bug in Windows Powershell on Windows Server 2008 and later that allows an unauthenticated attacker to run code in the security context of the user.
For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS Internet Storm Center. As always, please leave a note in the comments if you experience problems applying any of this month’s Windows patches.
The scourge of ransomware continues primarily because of three main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.
With these three challenges in mind, law enforcement and governments have a very difficult job to do when it comes to fighting ransomware but fight it they must. In this blog we shall recall what counter-ransomware activities took place in 2024, analyse their effectiveness, and assess how the landscape shall evolve as a result.
A podcast version of this blog is also available here.
During 2024, there were significant disruption operations by
law enforcement and financial authorities targeting individuals behind
ransomware campaigns (see the Table below). The main focus of 2024 for Western
law enforcement was squarely on the LockBit RaaS and its affiliates as it was
the largest and highest earning ransomware operation to date.
Several key players of the ransomware ecosystem were
arrested, including the main developer of LockBit ransomware. Interestingly,
Russian law enforcement also decided to arrest ransomware threat actors located
in Moscow and Kaliningrad as well.
| Month | Group(s) | Law Enforcement Activity |
|---|---|---|
| February 2024 | SugarLocker, REvil | Russian authorities have identified and arrested three alleged members in Moscow of a ransomware gang called SugarLocker. |
| February 2024 | LockBit | The LockBit leak site was seized. Two LockBit affiliates were arrested in Poland and Ukraine. Up to 28 servers belonging to LockBit were taken down. |
| February 2024 | LockBit | Two Russian nationals, Ivan Kondratiev and Artur Sungatov, were sanctioned by the US Treasury for being affiliates of LockBit, among other RaaS. |
| May 2024 | LockBit | Dmitry Khoroshev, the administrator and developer of LockBit was sanctioned by the US Treasury. |
| May 2024 | IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, TrickBot | European police took down malicious spam botnets that support ransomware campaigns. This resulted in 4 arrests (1 in Armenia and 3 in Ukraine), over 100 servers and 2,000 domains being seized. One of the main suspects earned €69 million by renting out infrastructure sites to deploy ransomware. |
| June 2024 | Conti, LockBit | A Ukrainian national was arrested for supporting Conti and LockBit ransomware attacks as a crypter developer. |
| August 2024 | Reveton, RansomCartel | Maksim Silnikau, a Belarusian national, was arrested in Spain for running Reveton and RansomCartel. |
| August 2024 | Karakurt, Conti | Deniss Zolotarjovs, a Latvian national was arrested and extradited to the US from Georgia for running the Karakurt data extortion gang linked to Conti. |
| October 2024 | Evil Corp, LockBit | The UK, alongside the US and Australia, has sanctioned 16 members of Evil Corp, including Aleksandr Ryzhenkov, Viktor Yakubets, and Eduard Benderskiy. |
| November 2024 | Phobos | Evgenii Ptitsyn, a Russian national, was arrested and extradited to the US from South Korea for running the Phobos ransomware gang. |
| December 2024 | LockBit | Rostislav Panev, a dual Russian and Israeli national, was arrested in Israel for developing LockBit ransomware. |
| December 2024 | LockBit, Babuk, Hive | Mikhail “Wazawaka” Matveev was arrested in Russia for violating domestic laws against the creation and use of malware. He was fined and had his cryptocurrency seized and is awaiting trial. |
The ransomware ecosystem has fragmented due to the law enforcement disruptions of the largest players, such as
ALPHV/BlackCat and LockBit. In the case of ALPHV/BlackCat, the operators staged
a law enforcement takedown as they put up a fake seizure notice as part of
an exit scam in March 2024 after the attack on UnitedHealth.
Following these disruptions, some affiliates have migrated
to less effective strains or launched their own strains. This includes
Akira and RansomHub at the top of the list as well as Hunters International and
PLAY.
During 2024, law enforcement seized funds from and
sanctioned a number of cryptocurrency exchanges and individuals running payment
processors using cryptocurrency (see the Table below).
One of the most interesting disclosures this year came from
the UK National Crime Agency (NCA) around Operation Destablise. The NCA linked
payments to ransomware gangs to money laundering networks used by Russian
oligarchs to covertly purchase property and Russia Today, the state-run media
organization, to covertly fund pro-Russia foreign entities.
Another notable investigation in 2024 was when the US
Treasury sanctioned more Russian cryptocurrency exchanges, such as PM2BTC and
Cryptex, that led to money launderers that facilitate the cashing out of ransom
payments being arrested by Russian law enforcement.
| Month | Exchange(s) | Law Enforcement Activity |
|---|---|---|
| August 2024 | Cryptonator | The US Justice Department indicted Russian national Roman Pikulev and Cryptonator, which processed a total of $1.4 billion in transactions, of which $8 million were ransom payments. Cryptonator also has ties to other sanctioned entities including Blender, Hydra Market, Bitzlato, and Garantex, among others. |
| September 2024 | PM2BTC, Cryptex, UAPS | FinCEN identified PM2BTC as being of “primary money laundering concern” in connection with Russian illicit finance. This was alongside Cryptex and Sergey Sergeevich Ivanov, a Russian national, who is associated with UAPS and PinPays, as well as Genesis Market. Cryptex also facilitated more than $115 million of proceeds from ransomware payments. |
| September 2024 | 47 exchanges | In Operation Final Exchange, German federal police (BKA) shut down 47 cryptocurrency exchange services that ransomware gangs use that operated without requiring registration or identity verification. |
| October 2024 | Cryptex, UAPS | Russian authorities have arrested nearly 100 suspected cybercriminals linked to the anonymous payment system UAPS and the cryptocurrency exchange Cryptex. |
| November 2024 | Smart, TGR Group | The NCA uncovered a Russian money-laundering network operated by two companies called Smart and TGR Group as part of Operation Destabilise that involved UK-based cash-to-crypto networks that laundered Ryuk ransom payments as well as the money of Russian oligarchs and Russia Today. |
While ransomware is a global problem, there are only a few
countries that are to blame for this rapid expansion of the ransomware
ecosystem. The state that is blamed the most for preventing many ransomware operators
from facing justice is Russia. There are explicit rules posted to
Russian-speaking cybercrime forums that state as long as members avoid
targeting Russia and the Commonwealth of Independent States (CIS), they are
free to operate.
The Russian ransomware safe haven theory was further proven
following sanctions levied against Evil Corp by the UK, US, and Australia. One
of the sanctioned men connected to Evil Corp was Eduard
Benderskiy, a former Russian federal security service (FSB) official.
Benderskiy is reportedly
the father-in-law of Maksim Yakubets, the leader of Evil Corp, an organized cybercrime
group responsible for multiple
ransomware strains including BitPaymer, WastedLocker, Hades, PhoenixLocker,
and MacawLocker. In total, Evil Corp has reportedly extorted at least $300
million from victims globally, according to the UK NCA. It is now clear that
Evil Corp has protection from a highly connected Russian FSB official who has
also been involved
in multiple overseas assassinations on behalf of the Kremlin, according to
Bellingcat investigators.
While a number of ransomware operators were arrested in 2024
and some were extradited to the US, the work done by law enforcement
specializing in cybercrime was put in the spotlight during the August
2024 prisoner swap. Multiple countries decided to release cybercriminals,
spies and an assassin as part of a historic
prisoner exchange with Russia at an airport in Ankara, Turkey. The US negotiated
the release of 16 people from Russia, including five Germans as well as seven
Russian citizens who were political prisoners in their own country.
Notably, from a cybercrime intelligence perspective, the Russian
nationals released from the West included the infamous cybercriminals Roman
Seleznev and Vladislav Klyushin. The latter, Klyushin, was sentenced
in 2023 to nine years in US prison after he was caught in a $93 million stock
market cheating scheme that involved hacking into US companies for insider
knowledge. The other cybercriminal, Seleznev, was sentenced
to 27 years in prison in 2017 for stealing and selling millions of credit card
numbers from 500 businesses using point-of-sale (POS) malware and causing more
than $169 million in damage to small businesses and financial institutions,
including those in the US.
In 2024, we saw several more Russian nationals get
extradited to the US after being arrested by law enforcement in the country
they were residing in. This includes the Phobos operator living in South Korea
and the LockBit developer living in Israel. This follows others arrested in
previous years such as a TrickBot developer arrested
in South Korea as well as the two LockBit affiliates extradited
to the US. There is a potential that these Russian nationals involved in
ransomware could be used in prisoner exchanges in the future.
Further, another curious trend in 2024 was that some Russians
inside Russia, which is firmly considered a safe haven for ransomware gang, did
get arrested. This includes the SugarLocker operators arrested in Moscow and
the LockBit affiliate Wazawaka who was arrested in Kaliningrad. This is
alongside the money launderers arrested around Russia linked to the Cryptex
exchange.
The arrests of Russian nationals in Russia for ransomware
activities appear to be more symbolic than a true crackdown on this type of
activity. This is because there are several dozen Russian-speaking ransomware
gangs that continue to operate, as well as a plethora of other types of cybercrime
in the Russian-speaking underground.
In 2024, there was lots of significant action by law
enforcement to shake up the ransomware economy. One of the main successes of the
notable Operation Cronos action taken against LockBit was the sowing of
distrust and disharmony in the ransomware ecosystem. Despite the admins of
LockBit trying to recover, their reputation and army of affiliates have been
smashed.
Many of Russian law enforcement activities could all be
related to the costs of the Russian invasion of Ukraine. Russian authorities seizing funds of the illicit cryptocurrency exchanges could be to pay for
the war in Ukraine and they could be recruiting arresting cybercriminals for offensive
cyber operations related to the war in Ukraine. The true motivations of Russian law enforcement arresting these specific ransomware operators but allowing others to operate are unclear. The cybercriminals could also simply have not paid their protection money or lack connections in the FSB like Evil Corp has.
Due to the fall of LockBit and ALPHV/BlackCat in 2024, there has been a rise of other ransomware groups like RansomHub and Akira to fill the vacuum. However, the rate of attacks by these emerging groups is still noticeably lower than when LockBit was operating at full force. This should be perceived as a success for law enforcement operations in 2024 due to the overall number of ransomware attacks lowering, which we should all be thankful for.
Entrar