Russia’s Zservers Sanctioned by US, UK, and Australia for Aiding LockBit Ransomware

The United States, United Kingdom, and Australia have jointly imposed sanctions on Zservers, a Russia-based bulletproof hosting (BPH) service provider accused of facilitating ransomware operations, particularly for the notorious LockBit ransomware group.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the UK’s Foreign, Commonwealth & Development Office announced the sanctions on February 11, targeting Zservers , its administrators, and associated entities.

As part of the crackdown, the sanctions impose asset freezes, travel bans, and restrictions, cutting Zservers off from the global financial system. They also blacklist Zservers’ administrators, Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, along with several individuals linked to LockBit.

Furthermore, blockchain analytics firm Chainalysis has reported that OFAC has added multiple cryptocurrency wallets tied to Zservers and its administrators to its Specially Designated Nationals (SDN) list.

Zservers and LockBit: What Is The Connection?

Zservers, headquartered in Barnaul, Russia, has been operating as a bulletproof hosting service provider, advertising its services on cybercriminal forums.

These services are designed to shield criminal activities from law enforcement through anonymous and resilient hosting solutions.

According to investigators, Zservers’ infrastructure has been directly linked to LockBit ransomware operations.

LockBit, a ransomware-as-a-service (RaaS) operation first identified in 2019, has gained notoriety for its widespread attacks on corporations, government institutions, and financial entities worldwide.

Authorities report that Zservers leased infrastructure to LockBit affiliates and provided IP addresses used to facilitate communication between attackers.

A 2022 investigation by Canadian law enforcement also uncovered a laptop connected to a Zservers subleased IP address, which was actively operating LockBit malware.

Evidence suggests that Zservers continued to enable these operations by frequently reassigning IP addresses to LockBit affiliates when previous addresses were flagged for malicious activity.

Furthermore, Chainalysis traced at least $5.2 million in on-chain transactions linked to Zservers, indicating that multiple ransomware groups beyond LockBit had utilized its services.

Zservers reportedly processed funds through high-risk platforms, including the sanctioned Russian exchange Garantex, which has been accused of lax Know Your Customer (KYC) compliance, allowing illicit funds to flow undetected.

LockBit Crime Empire is Slowly Crashing

The joint sanctions imposed on Zservers by the U.S., UK, and Australia aim to weaken the infrastructure supporting ransomware operations.

OFAC’s action against Mishin and Bolshakov highlights the growing focus on targeting individuals responsible for enabling cybercriminal activities.

Mishin, identified as a key figure in managing Zservers’ operations, has allegedly facilitated cryptocurrency transactions tied to ransomware operations.

In 2023, both Mishin and Bolshakov were reported to have reassigned IP addresses to LockBit affiliates after a Lebanese company flagged a Zservers-linked address concerning a ransomware attack.

Notably, a report in December last year showed that U.S. authorities had charged Rostislav Panev , a dual Russian-Israeli national, for his alleged role as a key developer for the LockBit ransomware group.

Panev was accused of creating malware that disabled security systems and executed ransomware attacks worldwide. Law enforcement linked him to over $230,000 in cryptocurrency payments allegedly tied to LockBit.

His lawyer argues that Panev was unaware of how his software was used and has cooperated with investigators. The DOJ has requested his extradition as officials continue efforts to dismantle LockBit’s operations, which have targeted high-profile organizations like Boeing and the UK Royal Mail.

LockBit, active since 2019, has attacked over 2,500 victims in 120 countries, encrypting data and demanding ransoms.

Authorities have since charged additional Russian nationals, including alleged LockBit leader Dmitry Khoroshev, for whom a $10 million bounty has been placed.