How to Identify and Prosecute Ransomware Leaders: Lessons from the UNKN Case

Introduction

Unmasking the anonymous masterminds behind prolific ransomware gangs is a complex, multi-step process that blends digital forensics, international cooperation, and old-fashioned investigative work. This guide uses the real-world case of "UNKN" — the alias of Daniil Maksimovich Shchukin, who led the GandCrab and REvil ransomware groups — to illustrate how authorities can trace, identify, and prosecute cybercriminals. By following these steps, law enforcement and cybersecurity professionals can apply similar techniques to other ransomware investigations.

What You Need

• Access to underground cybercrime forums (e.g., Russian-language forums where affiliates are recruited)
• Cryptocurrency analysis tools (e.g., blockchain explorers, forensic software)
• International legal channels (e.g., mutual legal assistance treaties, Interpol)
• Digital forensic capabilities (malware analysis, decryption tools)
• Coordination with victims and cybersecurity firms (to gather ransomware samples and ransom notes)
• Legal authorization (search warrants, seizure orders for cryptocurrency wallets)

Step-by-Step Guide

Step 1: Monitor Underground Forums for New Ransomware Gangs

The first sign of a major ransomware operation often appears on cybercrime forums. GandCrab surfaced in January 2018 when its operators posted about an affiliate program. Authorities should monitor such forums for announcements, payment guarantees (like forum escrow), and user handles. In the UNKN case, the leader used the handle UNKN (also UNKNOWN) and later deposited $1 million in escrow to promote the REvil program after GandCrab shut down.

Step 2: Track Affiliate Programs and Double Extortion Tactics

Ransomware groups like GandCrab pioneered double extortion: encrypting files and stealing data, then demanding one ransom for the decryption key and another to prevent data leaks. Investigators should document each attack, noting ransom demands, payment methods (cryptocurrency addresses), and the type of stolen data. The BKA linked Shchukin to at least 130 acts of computer sabotage and extortion in Germany between 2019 and 2021, causing over €35 million in damage.

Step 3: Analyze Cryptocurrency Transactions to Identify Wallets

Cryptocurrency is the lifeblood of ransomware. Investigators must follow the money by tracing payments from victims to public blockchain addresses. In the UNKN case, the U.S. Justice Department filed a seizure action (PDF, Feb. 2023) naming Shchukin’s digital wallet containing over $317,000 in ill-gotten gains. By correlating wallet activity with forum posts or other identifiers, authorities can link a pseudonym to a real person.

Step 4: Coordinate with International Law Enforcement

Ransomware groups are transnational. Germany’s Federal Criminal Police (BKA) worked with the U.S. Department of Justice to identify Shchukin and his associate Anatoly Sergeevitsch Kravchuk. The BKA published an advisory naming Shchukin as UNKN, providing a real name and age (31 years old, Russian). International warrants and information sharing are critical to building a case.

Step 5: Analyze Malware Code and Operational Patterns

GandCrab shipped five major revisions to its code, each with new features to evade detection. REvil was widely considered a rebranding of GandCrab. Cybersecurity experts and law enforcement can compare code samples, command-and-control infrastructure, and ransom notes to link different ransomware families to the same developers. This pattern matching helped confirm that UNKN led both groups.

Step 6: Use Forensic Accounting to Quantify Damage

Victim companies report extortion payments and economic losses. The BKA stated the UNKN gang extorted nearly €2 million in direct payments across two dozen cyberattacks, but the total economic damage exceeded €35 million. Compiling these figures strengthens the prosecution’s case and justifies severe penalties.

Step 7: Exploit Gaps in the Criminals’ Operational Security

Even careful criminals make mistakes. In the GandCrab farewell message (May 31, 2019), the group boasted: “We are a living proof that you can do evil and get off scot-free.” This arrogance, plus the use of escrow funds and interviews (e.g., UNKNOWN spoke to security researcher Dmitry Smilyanets), provided investigators with behavioral clues and possible leads to real-world identities.

Step 8: Issue Public Advisories and Seek Extradition

Once a suspect is identified, law enforcement can publish advisories (like the BKA’s) naming the individual, their aliases, and their role. This public exposure can disrupt their operations and encourage victims to come forward. Authorities then seek extradition or arrest through international channels. In this case, Shchukin was named in a U.S. DOJ filing, signaling that prosecution is likely.

Tips

• Start early: Monitor forums as soon as a new ransomware strain appears. The earlier you track the affiliate program, the more connections you can make.
• Follow the cryptocurrency: Even if criminals change wallets, blockchain analysis can reveal patterns (e.g., same exchange used to cash out).
• Collaborate globally: Ransomware operators often target multiple countries; share intelligence with agencies like Europol, Interpol, and the FBI.
• Don’t overlook psychology: Criminals who brag or give interviews may slip up and reveal personal details.
• Preserve evidence: Ransom notes, decryption tools, and victim reports are all court-admissible evidence.

By applying these steps, law enforcement agencies can systematically dismantle ransomware gangs and bring their leaders to justice, just as Germany and the U.S. did with UNKN.