U.S. Sanctions Russian Bulletproof Hosting Service for Supporting LockBit Ransomware Attacks
Last week, the United States, United Kingdom, and Australia announced further action in ongoing efforts to disrupt the LockBit ransomware-as-a-service operation, including jointly designating Zservers for its role in supporting LockBit ransomware attacks and sanctioning two Russian nationals.
LockBit is one of the most deployed ransomware variants. The group that shares the name was targeted in an international law enforcement operation, Operation Cronos, involving law enforcement agencies in 10 countries. Announced in February 2024, the operation caused significant disruption to the group’s operations at all levels. Infrastructure was seized, including the data leak site and 34 servers in multiple countries, along with cryptocurrency accounts linked to the group. International arrest warrants were issued, and arrests were made. The group recovered but has been operating in a limited capacity ever since.
Efforts to disrupt the group are continuing. Almost a year after Operation Cronos was announced, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the United Kingdom’s Foreign Commonwealth took action against Zservers, a Russia-based bulletproof hosting service (BHS) provider that has been supporting the LockBit operation, including sanctioning two Russian nationals alleged to be administrators for Zservers.
BHS providers market and sell access to specialized servers and other infrastructure that has been developed to evade detection and scrutiny from cybersecurity companies and defy law enforcement attempts at disruption. BHS services are relied upon by ransomware groups and enable attacks on U.S. companies and critical infrastructure. Zservers is headquartered in Barnaul, Russia, and advertises its services on cybercriminal forums. Zservers has provided BHS services to ransomware groups such as LockBit to coordinate and launch ransomware attacks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In 2022, a warrant was obtained to search the premises of a known LockBit affiliate in Canada. A seized laptop was operating a virtual machine connected to an IP address subleased by Zservers, which was running a programming interface for operating LockBit ransomware. Further law enforcement actions in 2022 and 2023 identified IP addresses and infrastructure purchased from Zservers for use in LockBit ransomware operations. Dutch authorities recently announced that 127 servers run by Zservers were seized in an operation in Amsterdam. Those servers reportedly contained ransomware, botnets, and other malware.
The two individuals sanctioned by the three countries are Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov. The sanctions mean that all property and interests in the property of those two individuals that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Further, any entities owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Any financial institutions or other persons that engage in certain transactions with the sanctioned entities and individuals may expose themselves to sanctions or enforcement actions, the penalties for which can be severe.
“Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure,” said Bradley Smith, acting undersecretary of the Treasury for terrorism and financial intelligence. “Today’s trilateral action with Australia and the United Kingdom underscores our collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security.”
