The US, the UK, and Australia have imposed sanctions on Russian hosting provider Zservers, citing its role in facilitating ransomware operations. The coordinated action, announced by the US Treasury Department, targets the company, two of its administrators, and a UK-based front company. Authorities claim Zservers provided infrastructure used by LockBit, a ransomware group responsible for multiple cyberattacks.
Headquartered in Barnaul, Russia, Zservers is accused of offering bulletproof hosting (BPH) services, which allow cybercriminals to evade detection by law enforcement. These services include leasing IP addresses, servers, and networking tools that ransomware groups use to conduct attacks. Investigations indicate that Zservers’ infrastructure has been used by affiliates of LockBit and other ransomware operators, including those deploying Dharma, Hive, VoidCrypt, and Venus ransomware.
“Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley Smith. “Today’s trilateral action with Australia and the United Kingdom underscores our collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security.”
In a 2022 law enforcement operation, Canadian authorities identified a LockBit affiliate using a Zservers-leased IP address to control ransomware malware. The following year, a Russian cybercriminal allegedly purchased IP addresses from Zservers, which were then used as LockBit chat servers to coordinate ransomware operations.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the UK’s Foreign, Commonwealth & Development Office (FCDO), and Australia’s Department of Foreign Affairs and Trade (DFAT) coordinated the sanctions. Authorities have designated two Russian nationals, Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, as key administrators of Zservers. XHOST Internet Solutions, a UK-registered entity, has also been sanctioned for its alleged connection to Zservers’ activities. The sanctions freeze all US-based assets linked to the designated individuals and entities. The US regulations now prohibit financial transactions involving them unless explicitly authorised.
LockBit’s cyberattacks and international crackdowns
LockBit has been linked to several high-profile cyber incidents. One of the most significant was the November 2023 ransomware attack on the Industrial and Commercial Bank of China’s US broker-dealer division. Operating under a ransomware-as-a-service (RaaS) model, LockBit provides its malware to affiliates who then execute attacks in exchange for a share of the ransom payments.
The latest sanctions follow a broader effort to dismantle ransomware networks. In February 2024, a joint operation by the US Department of Justice, the FBI, the UK’s National Crime Agency, and Europol targeted LockBit’s infrastructure. This action resulted in the seizure of servers and websites linked to the group, limiting its ability to carry out further attacks. Authorities also identified financial transactions associated with LockBit, tracking more than $200m in Bitcoin transactions linked to the group since 2022. According to investigators, over $110m remains unspent on-chain.
In May 2024, the US and the UK announced additional measures against LockBit’s leadership. Authorities named Dmitry Yuryevich Khoroshev, known as “LockBitSupp,” as the ransomware group’s leader. The US Department of Justice subsequently unsealed an indictment against Khoroshev, charging him with conspiracy to commit fraud, extortion, and money laundering.
Read more: LockBit leader’s hidden identity unmasked on gang’s website by law enforcement coalition
