CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Zservers Hosting Sanctioned for Aiding LockBit Attacks

By Leave a Comment

The United States, United Kingdom, and Australia have jointly imposed sanctions on Zservers, a Russia-based bulletproof hosting (BPH) provider, for supporting LockBit ransomware operations.

The action, announced by the U.S. Treasury's Office of Foreign Assets Control (OFAC), targets the company's role in facilitating cyberattacks against critical infrastructure worldwide. Additionally, two Russian nationals linked to Zservers were designated for their involvement in enabling ransomware attacks.

Zservers, headquartered in Barnaul, Russia, has operated as a bulletproof hosting service that caters to cybercriminals by providing infrastructure designed to evade law enforcement detection. According to OFAC, the company leased numerous IP addresses to LockBit affiliates, who used the infrastructure to plan and execute ransomware attacks.

Zservers' role in LockBit operations

In 2022, Canadian authorities discovered a LockBit affiliate using a laptop connected to a Zservers IP address while running LockBit malware. Additionally, investigations revealed that a Russian cybercriminal had purchased IP addresses from Zservers, likely to be used as LockBit chat servers for coordinating ransomware operations. In 2023, the company leased additional infrastructure, including a Russian IP address, to another LockBit affiliate, further strengthening its ties to the ransomware group.

LockBit is one of the most widely deployed ransomware variants, responsible for numerous high-profile cyberattacks. The ransomware group operates as a Ransomware-as-a-Service (RaaS) model, where affiliates conduct attacks using LockBit's malware in exchange for a share of the ransom payments.

Key individuals sanctioned

Two Russian nationals, identified as administrators of Zservers, were also sanctioned:

  • Alexander Igorevich Mishin – Marketed Zservers' BPH services to cybercriminals, including LockBit affiliates, and facilitated cryptocurrency transactions supporting ransomware activities.
  • Aleksandr Sergeyevich Bolshakov – Involved in managing Zservers' infrastructure, including reassigning an IP address used in a LockBit ransomware attack after it was flagged by a Lebanese company. This action likely allowed the ransomware operations to continue.

Both individuals were sanctioned under Executive Order 13694 (as amended by EO 14144) for acting on behalf of Zservers and enabling cybercriminal activities.

As a result of the sanctions, all assets and interests of Zservers, Mishin, and Bolshakov in the U.S. or controlled by U.S. entities are frozen. Moreover, U.S. persons and businesses are prohibited from engaging in transactions with the sanctioned parties, and entities owned 50% or more by the designated individuals or companies are also blocked. Finally, financial institutions and businesses dealing with the sanctioned entities may face secondary sanctions or enforcement actions.

These sanctions reinforce last year's collaborative efforts by the U.S., U.K., and Australia to disrupt Russian ransomware actors, including sanctions against Alexander Ermakov and members of the Evil Corp ransomware group.

About Amar Ćemanović

Amar Ćemanović is an experienced editor and trained engineer with a keen eye for detail and a passion for technology. 
Based in Bosnia, Amar specializes in producing high-quality, engaging content. He holds a Master’s degree in engineering, which helps him maintain a meticulous approach to all editorial work. Amar brings a well-rounded knowledge base, covering everything from tech solutions to privacy tools.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *