Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

GandCrab

Also known asgandcrab

GandCrab is a ransomware-as-a-service (RaaS) operation first advertised in early 2018. It initially spread through spam emails with malicious attachments and was a key early large-scale RaaS platform that expanded targeting toward larger companies and leveraged new attack vectors such as MSPs. Reporting in the provided content states that GandCrab later evolved into REvil, also known as Sodinokibi, in 2019, and multiple sources cited code, behavioral, and operational continuity between the two operations. The content describes GandCrab and later REvil as using an affiliate model in which operators maintained the malware and extortion infrastructure while affiliates obtained victims. GandCrab is also described as part of the development of double-extortion tradecraft later associated with REvil, including demands for payment in exchange for decryption and, in later evolution, non-publication of stolen data. German authorities identified alleged Russian nationals Daniil Maksimovich Shchukin, also known as UNKN or UNKNOWN, and Anatoly Sergeevitsch Kravchuk as key figures behind GandCrab and later REvil; BKA reporting cited in the content says Shchukin acted as head of GandCrab and later REvil from the beginning of 2019 until at least July 2021, while Kravchuk allegedly contributed to development of the ransomware and the dark web extortion platform. The content also states GandCrab publicly claimed very large illicit earnings before shutting down in 2019.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics13 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
3 techniques
T1078
Valid Accounts
T1190
Exploit Public-Facing Application
T1566×2
Phishing
TA0002
Execution
1 technique
T1204
User Execution
T1204.002
Malicious File
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0010
Exfiltration
3 techniques
T1041
Exfiltration Over C2 Channel
T1537×2
Transfer Data to Cloud Account
T1567
Exfiltration Over Web Service
TA0040
Impact
2 techniques
T1486×9
Data Encrypted for Impact
T1657
Financial Theft
ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
itproNews
Apr 7, 2026
German authorities want your help finding the hackers behind GandCrab and REvil | IT Pro

A major ransomware-as-a-service operation linked to large-scale extortion against organizations, primarily using spam emails, and later evolving into REvil.

Read more
scworldNews
Apr 6, 2026
German authorities identify alleged leader of GandCrab and REvil ransomware gangs | brief | SC Media

Ransomware operation allegedly led by Daniil Maksimovich Shchukin and associated with computer sabotage and extortion.

Read more
the record mediaNews
Apr 6, 2026
German police unmask two suspects linked to REvil ransomware gang | The Record from Recorded Future News

A ransomware-as-a-service operation first advertised in early 2018 that initially spread via spam emails with malicious attachments and later evolved into REvil.

Read more
bleeping computerNews
Apr 6, 2026
German authorities identify REvil and GangCrab ransomware bosses

Ransomware operation active from early 2018, using an affiliate model and conducting extortion attacks. German authorities linked its leadership to Russian nationals and tied them to numerous extortion cases in Germany.

Read more
+15 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping9

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.