German police identify REvil and GandCrab ransomware leaders
If you only read one thing: German police say they have identified the people behind two major ransomware crews, sharpening the attribution picture but not removing the operational risk.
As of April 7, 2026: As of April 7, 2026, the identification is a law-enforcement claim tied to past operations, not a public shutdown of the threat.
Executive summary
German federal police say they have identified two Russian nationals linked to the REvil and GandCrab ransomware leaders case. The claim covers activity tied to both crews from 2019 through 2021.
That is the core development. It is an attribution step, not a shutdown notice.
The naming of suspects does not mean the threat is gone. It also does not erase the infrastructure, code reuse, or copycat behavior that ransomware groups leave behind.
REvil, also known as Sodinokibi, and GandCrab were among the most watched ransomware operations of their era. Their campaigns showed how quickly extortion crews can shift tactics, reuse tooling, and resurface under new branding.
The German announcement matters because it ties law enforcement findings to specific people, not just to malware names.
For defenders, attribution helps with pattern matching. It can sharpen threat intelligence, support insurer reviews, and improve incident response timelines.
Why does that matter outside law enforcement? Because named actors help analysts connect old incidents to current ones. They also give insurers and response teams a cleaner record when they assess exposure, verify indicators of compromise, and compare extortion notes against known playbooks.
The practical warning is simple. Even when police identify suspects, ransomware risk remains active. Affiliates change, servers move, and leaked data keeps circulating.
Defenders still need backups, logging, segmentation, and tested recovery plans.
For current guidance, Europol’s ransomware guidance and CISA’s Stop Ransomware resources remain useful reference points. They focus on response discipline, not headlines.
That is the right lens here.
Last reviewed: April 7, 2026
Timeline and verified facts
The record starts with GandCrab. German authorities later tied that ransomware line to two Russian nationals, but the public case file only confirms the attribution claim, not a courtroom finding.
GandCrab appeared years before REvil. Security researchers tracked it as one of the most active ransomware operations in circulation, with extortion campaigns that changed over time and a steady affiliate model.
The public timeline matters because it shows the group did not appear overnight. It evolved. ransomware response checklist how to harden remote access incident response logging guide backup verification basics
By 2019, investigators say the same operators had moved into REvil, also known as Sodinokibi. That later brand became linked to high-profile intrusions and double extortion.
Files were stolen first. Encryption came after. The name changed, but the business pattern stayed familiar.
German police say the REvil and GandCrab ransomware leaders were two Russian nationals who ran both operations between 2019 and 2021. The public statement places the alleged leadership period across those years and connects the two brands to the same core actors.
It does not, by itself, prove every incident attributed to those crews.
What is confirmed? The Federal Criminal Police Office, or BKA, has publicly named the suspects and described the attribution basis.
What remains alleged? Criminal responsibility in the legal sense. That distinction matters.
Naming is not conviction.
| Period | Group name | Verified public fact | Open question |
|---|---|---|---|
| Pre-2019 | GandCrab | Active ransomware operation tracked by researchers | Exact internal leadership chain |
| 2019-2021 | REvil / Sodinokibi | German authorities link the brand to the same suspects | How many attacks map to each operator |
| Public disclosure | German police identification | BKA names two Russian nationals | Whether charges, extradition, or trial follow |
The source trail should stay clear. The BKA announcement is the primary law-enforcement reference, and attribution details may also be reflected in partner reporting or technical write-ups.
For protocol context, the legal and technical records sit apart. Nothing in this timeline changes the evidentiary standard.
That is the limit here. The chronology is public; the legal outcome is not.
For readers tracking the case, the key point is simple: GandCrab came first, REvil followed, and German authorities later identified two alleged leaders across both periods.
Last reviewed: April 7, 2026
Technical angle: how these crews operated
The REvil and GandCrab ransomware leaders ran a familiar enterprise intrusion chain. It started with access, not encryption.
That matters because the blast radius grows long before the ransom note appears.
Attackers usually entered through exposed remote services, stolen credentials, phishing, or a vulnerable edge device. Email still mattered too.
Malicious messages often rode SMTP, the Simple Mail Transfer Protocol defined in RFC 5321, while some campaigns abused webmail or document macros to drop a loader.
From there, the crew needed privilege escalation. They hunted for admin tokens, weak service accounts, unpatched endpoints, and misconfigured remote management tools.
One compromised laptop was rarely enough. The goal was domain-level control.
| Stage | What it looks like | Typical enterprise surface |
|---|---|---|
| Initial access | Stolen login or exploit | VPN, email, RDP, web app |
| Privilege escalation | Admin rights gained | Endpoint, AD, helpdesk tools |
| Lateral movement | Spread inside network | File shares, SMB, remote admin |
| Exfiltration | Data copied out | Cloud sync, SFTP, HTTPS |
Once inside, lateral movement came next. SMB, the Server Message Block protocol, was a common path for shared drives and remote file access.
Attackers also used remote administration tools, PsExec-style execution, and directory services abuse to move from one host to another without triggering obvious alarms.
Then came data theft. That is the double extortion model in plain terms: copy sensitive files out first, then encrypt local systems and demand payment for both decryption and silence.
In our assessment, this was the real pressure point. Even a clean backup did not remove the leak risk.
For transport, they often favored ordinary-looking channels. HTTPS, the Hypertext Transfer Protocol Secure profile over TLS, blended into normal traffic.
So did SFTP for bulk transfers. A VPN gateway could help attackers hide behind a valid login, especially if the organization used weak MFA or reused credentials.
IPsec VPNs rely on Internet Key Exchange version 2, documented in RFC 7296, but the protocol is only as safe as the account behind it.
Why is attribution still hard when police name suspects or seize infrastructure? Because infrastructure is disposable.
Operators rotate servers, domains, wallets, and affiliates. One crew may rent access from another.
Logs disappear. Encryption hides content. And the criminal brand can outlive the people who built it.
That is why technical attribution and legal attribution rarely move at the same speed. The malware family, the leak site, and the payment path may line up.
The human chain behind them is harder to prove. Last reviewed: April 7, 2026
Impact on users and organizations
For IT teams and security operations centers, a named suspect list can sharpen triage. It helps analysts map indicators, compare intrusion paths, and decide whether an incident looks like a known affiliate pattern or a new operator.
That saves time. It also reduces guesswork during the first hours of containment.
Does that mean the risk drops? No.
The ransomware still behaves the same on the endpoint and across the network. If a victim has exposed remote access, weak MFA, or stale admin accounts, the danger remains immediate.
In our assessment, attribution mainly improves prioritization and evidence handling.
For remote workers, the practical effect is narrower but still real. Home devices, personal routers, and reused passwords can become the first foothold.
Once attackers land, they often move toward the same shared services that office staff use. That makes identity hygiene and device patching a business issue, not just an IT issue.
The takeaway is simple: attribution helps you judge which controls failed, but it does not change which controls you need to fix.
Small and midsize businesses feel the pressure quickly. They usually have fewer analysts, thinner backups, and less room for long outages.
A police statement may support insurance, legal, or board reporting, but it will not reduce downtime by itself. The same is true for large enterprises, although the stakes are wider: more subsidiaries, more vendors, more logs to preserve.
Managed service providers face a different problem. One compromise can touch many customers at once.
That means faster coordination with law enforcement, tighter scope checks, and cleaner customer notices. It also means separating what is confirmed from what is still under review.
Panic helps no one.
Attribution can also shape communications. Security teams may tell staff that a known criminal group is involved, while avoiding claims they cannot prove.
Customer notices should name the service impact, the data category under review, and the steps taken so far. Keep the message factual.
People notice when wording drifts.
For law-enforcement coordination, the value is evidence sharing. Case naming can link victims, wallet clusters, and infrastructure reuse across borders.
It can also support arrests, sanctions work, and future takedown planning. The limits are just as clear.
A named leader does not end affiliate activity, and it does not rule out copycat crews.
That is why risk decisions should stay operational. Patch exposed systems. Review privileged access. Test restores.
Preserve logs. And if you need a public statement, keep it narrow and accurate.
The label matters. The response matters more.
Last reviewed: April 7, 2026
Mitigation and diligence
Attribution should not slow containment. If systems are encrypted or exposed, isolate them, preserve volatile evidence, and start recovery work at once.
The practical controls are familiar, but they need discipline. Validate backups by restoring them, not by checking a green dashboard.
A backup that has not been tested is a hope, not a control.
Identity hardening deserves equal weight. Use multifactor authentication on remote access, admin accounts, and cloud consoles.
Prefer phishing-resistant methods where possible. For password policy and session handling, align with the spirit of RFC 8252 for native apps and RFC 6819 for OAuth threat awareness when those systems are in scope.
Patch priority should follow exposure, not convenience. Internet-facing services, remote management planes, and systems with known exploit chains go first.
Then move to endpoints that hold credentials or can reach backups. Delay here, and ransomware crews often get a second shot.
If a system can reach backups, it can usually reach more than backups. Segment it harder than you think you need.
Segmentation should limit lateral movement. Separate user workstations, server tiers, backup networks, and administrative paths.
Restrict east-west traffic with allow lists, not broad trust. In our assessment, this is where many recoveries still fail: the initial infection is contained, but the operator keeps moving inside the network.
Logging needs to survive the incident. Forward authentication logs, EDR alerts, VPN events, and domain controller records to a system the attacker cannot easily alter.
Keep clock sync tight. If you cannot reconstruct the timeline, you cannot trust the cleanup.
Write the incident playbook before the crisis. Include who can disconnect segments, who approves restore decisions, how evidence is preserved, and when legal or law-enforcement contacts are made.
Map those steps to ISO/IEC 27035 and to the logging guidance in RFC 5424 where syslog is used.
The data suggests one simple rule. Do the boring work early, while the network is still intact.
That is how you shorten downtime, protect evidence, and keep a named group from becoming a fresh breach.
Last reviewed: April 7, 2026
Readers often ask
Readers often ask: what is REvil and GandCrab ransomware leaders attribution?
Readers often ask: how does law-enforcement attribution affect ransomware response?
Readers often ask: why does the BKA identification matter now?
Readers often ask: is it safe when the operators are named publicly?
Readers often ask: what should IT teams verify first regarding REvil and GandCrab ransomware leaders?
Readers often ask: how is GandCrab related to REvil and GandCrab ransomware leaders?
Readers often ask: how is REvil related to REvil and GandCrab ransomware leaders?
Readers often ask: does this change everyday risk for home users?
Last reviewed: April 7, 2026
