UK, US, Oz blast holes in LockBit's bulletproof hosting provider Zservers

One of the bulletproof hosting (BPH) providers used by the LockBit ransomware operation has been hit with sanctions in the US, UK, and Australia (AUKUS), along with six of its key allies.

Headquartered in Barnaul, Russia, Zservers provided BPH services to a number of LockBit affiliates, the three nations said today. On numerous occasions, affiliates purchased servers from the company to support ransomware attacks.

The trio said the link between Zservers and LockBit was established as early as 2022, when Canadian law enforcement searched a known LockBit affiliate and found evidence they had purchased infrastructure tooling almost certainly used to host chatrooms with ransomware victims.

"Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on US and international critical infrastructure," said Bradley T Smith, acting under secretary of the Treasury for terrorism and financial intelligence.

"Today's trilateral action with Australia and the United Kingdom underscores our collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security."

The UK's Foreign, Commonwealth & Development Office (FCDO) said additionally that the UK front company for Zservers, XHOST Internet Solutions, was also included in its sanctions list. According to Companies House, the UK arm was incorporated on January 31, 2022, although the original service was established in 2011 and operated in both Russia and the Netherlands.

Anyone found to have business dealings with either entity can face criminal and civil charges under the Sanctions and Anti-Money Laundering Act 2018.

Foreign Secretary David Lammy said: "Putin has built a corrupt mafia state driven by greed and ruthlessness. It is no surprise that the most unscrupulous extortionists and cybercriminals run rampant from within his borders.

"This government will continue to work with partners to constrain the Kremlin and the impact of Russia's lawless cyber underworld. We must counter their actions at every opportunity to safeguard the UK's national security and deliver on our Plan for Change."

Bulletproof hosting services more generally are used in other types of cybercrime, such as child exploitation, misinformation, and hate speech, as well as ransomware gangs. The sanctions are being spun as a significant disruptor of a major cog in the cybercrime machine.

• If Ransomware Inc was a company, its 2024 results would be a horror show
• Another banner year for ransomware gangs despite takedowns by the cops
• How cops taking down LockBit, ALPHV led to RansomHub's meteoric rise
• Suspected LockBit dev, facing US extradition, 'did it for the money'

BPH providers operate just like normal hosting services but market themselves as ultra-secure alternatives that can't be touched by law enforcement, making them ideal for groups who want to ensure legal warrants won't bring their servers down.

They also claim to offer additional benefits such as the anonymization of locations, identities, and activities. Disrupting them can in turn scupper hundreds or thousands of other criminals in one fell swoop, the FCDO said.

It went on to claim that Zservers marketed itself explicitly to "illicit actors."

Six people on the list

The UK led the way with sanctions, placing six individuals and the two entities on its list, while the US only placed two of the individuals – both alleged Zservers admins – on its equivalent.

Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, both 30 years old, were named by the US as the operation's heads. Mishin was said to have marketed Zservers to LockBit and other ransomware groups, managing the associated cryptocurrency transactions. 

Both he and Bolshakov responded to a complaint from a Lebanese company in 2023 and shut down an IP address used in a LockBit attack. The US said, however, it was possible that the pair set up a replacement IP address that LockBit could carry on using, while telling the Lebanese company that they complied with its request.

The UK further sanctioned Ilya Vladimirovich Sidorov, Dmitry Konstantinovich Bolshakov (no mention of whether he is any relation to Aleksandr), Igor Vladimirovich Odintsov, and Vladimir Vladimirovich Ananev.

Other than that they were Zservers employees and thus were directly or indirectly involved in attempting to inflict economic loss to the country, not much was said about either of their roles. ®