US, UK, and Australia Sanction Zservers for Role in Hosting LockBit Ransomware

In a coordinated effort to disrupt cybercrime, authorities from the United States, United Kingdom, and Australia have imposed sanctions on Zservers, a Russia-based bulletproof hosting provider accused of aiding the notorious LockBit ransomware group. The sanctions, announced on February 11, 2024, target both Zservers and its UK-based front company, XHOST Internet Solutions LP, as well as six individuals involved in the operation.

Zservers, which provides hosting services that shield the identities and activities of cybercriminals, has been linked to the facilitation of attacks on critical infrastructure worldwide. The US Treasury Department’s Office of Foreign Assets Control (OFAC) and the UK’s Foreign Office have frozen the assets of Zservers and its affiliated companies, while also imposing travel bans on six individuals connected to the group.

Bradley Smith, the US Treasury’s acting under-secretary for terrorism and financial intelligence, emphasized the role that bulletproof hosting providers like Zservers play in enabling cybercriminals to carry out their attacks. "Cybercriminals rely on third-party network service providers to enable their attacks on US and international critical infrastructure," Smith stated.

Joint Operation Targets LockBit's Impact

The sanctions come as part of a broader, joint operation launched by authorities from ten countries in February 2024 aimed at disrupting the LockBit ransomware group. Authorities claim LockBit has caused billions of dollars in damage, including major breaches of critical infrastructure. Notable victims include Medibank, an Australian insurance provider, and the Industrial Commercial Bank of China US.

LockBit ransomware operates by encrypting victims' files and demanding payment, usually in cryptocurrency, to unlock them. The group has been responsible for a significant number of high-profile attacks, including over 7,000 cyberattacks between June 2022 and February 2024.

Sanctioned Individuals Linked to Zservers

Among the six individuals sanctioned by the US and UK, two are identified as key administrators of Zservers: Russian nationals Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov. Both men are accused of directing crypto transactions for LockBit and supporting the group's cyberattacks. Blockchain analytics firm Chainalysis revealed that a crypto address associated with Mishin, along with several other wallets linked to Zservers, is now on OFAC’s Specially Designated Nationals (SDN) list, making them subject to specific financial sanctions.

Chainalysis also highlighted that Zservers had been involved in transactions with multiple ransomware groups, beyond just LockBit. The company’s on-chain activity revealed payments from a range of illicit actors using the hosting provider for their operations. Additionally, Zservers had allegedly cashed out funds through the sanctioned Russian-based exchange Garantex, known for its lack of Know Your Customer (KYC) procedures.

Zservers' Global Reach and Illicit Connections

Zservers operates servers in several countries, including the US, Russia, Bulgaria, the Netherlands, and Finland, and offers a variety of services, such as server support, equipment, and custom configurations. Chainalysis' report also noted Zservers’ extensive connections to high-risk and illicit entities, with at least $5.2 million in on-chain activity linked to its services.

The company’s role as a key infrastructure provider for ransomware groups is part of a wider trend of cybercriminals utilizing bulletproof hosting services to conceal their identities and activities, enabling large-scale ransomware campaigns.

Broader Sanctions Impact

The sanctions against Zservers are part of a growing global effort to target and disrupt the financial infrastructure supporting ransomware and other cybercrime activities. In addition to the recent actions against Zservers, OFAC had previously sanctioned 44 Tornado Cash smart contract addresses in 2022 for their role in laundering over $7 billion in cryptocurrency, further highlighting the US government’s commitment to combating cybercrime through financial sanctions.

As ransomware groups like LockBit continue to evolve, international authorities are stepping up their efforts to target the facilitators of these attacks. With the imposition of sanctions on Zservers and the ongoing investigation into ransomware activities, law enforcement agencies aim to disrupt the financial lifelines of these criminal organizations, preventing further damage to global infrastructure.