The United States, Australia, and the United Kingdom have sanctioned Zservers, a Russia-based bulletproof hosting (BPH) services provider, for supplying essential attack infrastructure for the LockBit ransomware gang.
Two of its key administrators, Russian nationals Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, were also designated for their roles in directing Lockbit virtual currency transactions and supporting the gang’s attacks.
The U.S. Office of Foreign Assets Control (OFAC) says Canadian authorities discovered a laptop running a virtual machine linked to a Zservers subleased IP address and operating a LockBit malware control panel during a 2022 raid on a known LockBit affiliate.
In 2022, a Russian hacker acquired IP addresses from Zservers, which were likely used with LockBit chat servers to coordinate ransomware activities, while, in 2023, Zservers provided infrastructure, including a Russian IP address, to a LockBit affiliate.
“Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure,” said Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence.
“BPH providers like ZSERVERS, protect and enable cybercriminals, offering a range of purchasable tools which mask their locations, identities, and activities. Targeting these providers can disrupt hundreds or thousands of criminals simultaneously,” the U.K. government added.
Britain’s Foreign, Commonwealth and Development Office has also sanctioned XHOST Internet Solutions LP, Zservers’ U.K. front company, for supporting LockBit ransomware attacks, along with four other employees: Ilya Sidorov, Dmitriy Bolshakov, Igor Odintsov, and Vladimir Ananev).
Following these sanctions, organizations and citizens of the three countries are prohibited from conducting transactions with the designated individuals and companies. All assets linked to them will also be frozen, and financial institutions and foreign entities involved in transactions with them may also face penalties.
LockBit arrests and charges
In December, the U.S. Justice Department also charged a Russian-Israeli dual-national suspected of developing malware and managing the infrastructure for LockBit ransomware.
Previous charges and arrests of cybercriminals linked to Lockbit ransomware include Mikhail Pavlovich Matveev (aka Wazawaka) in May 2023, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) in February 2024, and Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab) in May 2024.
In July, Russian nationals Ruslan Magomedovich Astamirov and Canadian/Russian national Mikhail Vasiliev also admitted to participating in at least a dozen ransomware attacks as LockBit affiliates.
The U.S. Department of Justice and the U.K. National Crime Agency estimate that LockBit has extorted up to $1 billion after over 7,000 attacks between June 2022 and February 2024.
LockBit surfaced five years ago, in September 2019, and has since claimed and has been linked to attacks targeting many high-profile entities worldwide, including Bank of America, Boeing, the Continental automotive giant, the UK Royal Mail, and the Italian Internal Revenue Service.
In February 2024, Operation Cronos shut down LockBit’s infrastructure and seized 34 servers that contained over 2,500 decryption keys later used to create a free LockBit 3.0 Black Ransomware decryptor.