Russian bulletproof hosting service Zservers sanctioned by US for LockBit coordination

A Russian service used to facilitate ransomware attacks by LockBit hackers has been sanctioned by U.S. authorities. 

The company, Zservers, offers bulletproof hosting — which allows cybercriminals to avoid law enforcement while renting IP addresses, servers and domains used for disseminating malware, forming botnet armies and carrying out other tasks related to fraud and cyberattacks.

On Tuesday, the U.S. Treasury Department partnered with officials in Australia and the U.K. in sanctioning Zservers as well as Russian nationals Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, who served as administrators at the company. 

“Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure,” said Bradley Smith, acting undersecretary of the Treasury for terrorism and financial intelligence. 

“Today’s trilateral action with Australia and the United Kingdom underscores our collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security.”

U.S. officials said Zservers supported LockBit’s efforts to launch ransomware attacks. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) specifically mentioned the group’s 2023 attack on the Industrial Commercial Bank of China.

According to the U.S., LockBit affiliates frequently leased IP addresses from Zservers. The company is based in Barnaul, Russia, and advertises its services on cybercriminal forums. Blockchain analysis company Elliptic said it confirmed the link between the cybercrime gang and Zservers.

“Ransomware attacks by Russian affiliated cybercrime gangs are some of the most harmful cyber threats we face today and the government is tackling them head on,” said U.K. Minister of State for Security Dan Jarvis. “Denying cybercriminals the tools of their trade weakens their capacity to do serious harm to the UK.”

Officials noted that Canadian law enforcement discovered Zservers services being used by a now-detained LockBit affiliate who had his home raided in 2022. 

Zservers is being sanctioned for “having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, LockBit ransomware.”

Mishin was personally involved in advertising Zservers’ services and managing cryptocurrency payments, authorities said. Bolshakov was implicated by U.S. authorities in one situation where a Lebanese organization contacted Zservers to complain that an IP address provided by the company was being used to facilitate a ransomware attack. 

Mishin told the Lebanese company that the IP address was cut off but ordered Bolshakov to simply change the IP address of the hacker. 

‘A corrupt mafia state’

The U.K. published its own statement announcing similar sanctions but targeting six members of Zservers as well as a U.K. front company named XHOST Internet Solutions LP. In addition to Mishin and Bolshakov, Ilya Sidorov, Dmitriy Bolshakov, Igor Odintsov and Vladimir Ananev were sanctioned by the British government. 

U.K. Foreign Secretary David Lammy said Russian President Vladimir Putin has “built a corrupt mafia state driven by greed and ruthlessness.” 

“It is no surprise that the most unscrupulous extortionists and cyber-criminals run rampant from within his borders,” he said.  

U.S. officials tied the sanctions to previous actions taken against Russian ransomware actor Alexander Ermakov and members of the Evil Corp cybercrime group. 

The ransomware gang was taken down by several law enforcement agencies around the world last year but has repeatedly tried to revive itself, reposting data stolen during previous attacks and marketing a small number of new incidents.

State Department spokesperson Tammy Bruce said Russia “continues to offer safe harbor for cybercriminals where groups are free to launch and support ransomware attacks against the United States and its allies and partners.”

“We will continue to stand with our partners to disrupt ransomware actors that threaten our economies and critical infrastructure,” Bruce added. 

In recent years, U.S. authorities have made a point of going after the people behind bulletproof hosting services, extraditing those involved and handing out lengthy sentences. A man suspected of owning a bulletproof hosting company was arrested in Spain last October amid a wider operation targeting one of the main members of the Evil Corp cybercrime group and a LockBit affiliate. 

Lolek Hosted was taken offline by law enforcement in 2023 and the U.S. Justice Department sentenced 39-year-old Mihai Ionut Paunescu to three years in federal prison for his role in helping run bulletproof hosting service PowerHost[.]ro.

Russian national Aleksandr Grichishkin was handed a five-year sentence in 2021 for founding and operating a bulletproof hosting company while Pavel Stassi, 30, of Estonia, and Aleksandr Shorodumov, 33, of Lithuania, were both sentenced to more than two years in prison for running a bulletproof hosting organization that helped launch attacks against U.S. targets between 2009 and 2015.

A 33-year-old Illinois native also was sentenced previously for owning and operating two DDoS facilitation websites — DownThem.org and AmpNode.com — that also provided bulletproof server hosting to customers.