- The United States, Australia, and the United Kingdom have jointly sanctioned Zservers, a Russia-based bulletproof hosting provider, for supporting ransomware activities
- Zservers has been identified as a key infrastructure enabling LockBit ransomware attacks, including a significant breach in November 2023
- Two Russian nationals, Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, have been designated for their roles as administrators of Zservers
In a coordinated effort to combat cybercrime, the United States, Australia, and the United Kingdom have imposed sanctions on Zservers, a Russian bulletproof hosting (BPH) services provider, for its involvement in facilitating ransomware attacks. The joint action targets the infrastructure supporting LockBit, a prominent ransomware group responsible for numerous cyberattacks, including a notable incident in November 2023 against the Industrial Commercial Bank of China’s U.S. broker-dealer. Both Zservers and LockBit have connections to cryptocurrencies, treating them as the primary forms of payment for their services.
Zservers’ Role in Ransomware Operations
According to the U.S. Department of the Treasury, Zservers, headquartered in Barnaul, Russia, has been offering BPH services designed to evade detection and resist law enforcement efforts. The Treasury states that Zservers has “provided BPH services, including leasing numerous IP addresses, to LockBit affiliates, who have used the hosting services to coordinate and launch ransomware attacks.”
Investigations revealed that in 2022, Canadian law enforcement discovered a laptop connected to a Zservers’ IP address, running a virtual machine associated with LockBit malware operations. According to the Financial Action Task Force, cryptocurrencies are heavily, if not exclusively, used in such operations.
Zservers Admins Also Sanctioned
The sanctions also target two Russian nationals linked to Zservers alongside the outfit itself. Alexander Igorevich Mishin, identified as an administrator of Zservers, has been accused of marketing the company’s services to cybercriminals, including LockBit affiliates, with the understanding that they would be used for illicit activities. Additionally, Mishin has directed virtual currency transactions to support these operations. His associate, Aleksandr Sergeyevich Bolshakov, also an administrator, has been implicated in managing IP addresses associated with ransomware attacks.
In 2023, when a Lebanese company reported a LockBit-related attack originating from a Zservers IP address, Mishin instructed Bolshakov to change the IP address of the malicious user, enabling the continuation of ransomware activities.
This trilateral action underscores the commitment of the United States, Australia, and the United Kingdom to disrupt cybercriminal ecosystems. Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith, stated, “Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure.”
He emphasized that the joint sanctions “underscore our collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security.”
