LockBit crackdown continues with Zservers sanctions

Zservers, a bulletproof hosting service used by LockBit affiliates, was sanctioned by United States, Australian and British authorities on Tuesday.

Bulletproof hosting (BPH) services provide technical infrastructure designed to provide anonymity and resist legal interference; unlike typical web hosting services, these services ignore reports of abuse, takedown notices and subpoenas, making them attractive to cybercriminals, including ransomware threat actors.

Zservers, which is headquartered in Russia, advertises its services on cybercrime forums and has been used by numerous LockBit affiliates to facilitate their attacks, according to a statement by the U.S. Department of the Treasury.

For example, a laptop searched by Canadian law enforcement in 2022 was found to be operating a virtual machine that was connected to an IP address subleased from Zservers and running a programming interface used to operate LockBit ransomware, officials said.

Zservers is also known to have sold or leased IP addresses to a LockBit-associated Russian cybercriminal in 2022 and a known LockBit affiliate in 2023, according to U.S. officials.

“These coordinated sanctions by the U.S., UK, and Australia may deter Zservers from doing any further business with Lockbit, setting precedence for law enforcement-driven deterrence and international efforts to combat cybercrime,” Andrew Costis, engineering manager of the adversary research team at AttackIQ, told SC Media.

LockBit is just one ransomware group associated with Zservers. In October 2022, Zservers provided services to the REvil ransomware operation, which were leveraged in an attack against Medibank Private, according to the Australian Federal Police.

The BPH provider has now been sanctioned in the U.S. under Executive Order (EO) 13694, which was amended by EO 14144, meaning any transactions related to Zservers by U.S. citizens or within the United States are prohibited.

In the UK, Zservers was sanctioned under the Sanctions and Anti-Money Laundering Act of 2018, imposing similar financial restrictions. Australia issued its first-ever cyber sanction against Zserver, prohibiting Australians or those in Australia from providing any assets to Zserver, which could include ransomware payments and other cryptocurrency transactions.

U.S. authorities also sanctioned two Zservers admins: Aleksandr Sergeyevich Bolshakov and Alexander Igorevich Mishin. Australia sanctioned and imposed travel bans on Bolshakov, Mishin and three other Zservers employees, while the UK included an additional employee for a total of six sanctioned individuals. Zservers’ UK front company XHOST Internet Solutions LP was also included in the sanctions.

LockBit, previously one of the most prolific ransomware-as-a-service (RaaS) operators, has faced a series of disruptions over the past year, commencing with an international takedown of some of its key infrastructure in February 2024. International authorities have continued to crack down on the group, with the seizure of additional server infrastructure in October and the prosecution of several LockBit affiliates and associates, including the indictment of its alleged ringleader Dimitry Yuryevich Khoroshev, who was identified by the U.S. Department of Justice in May.

“It is important to acknowledge that although sanctions might impede ransomware operations by targeting their infrastructure, ransomware groups such as LockBit are highly adaptive and well-connected, and will likely have other providers they’re able to call on,” said Costis.