US Imposes Sanctions on LockBit Ransomware’s Bulletproof Hosting Provider

Overview

The United States, Australia, and the United Kingdom have sanctioned Zservers, a Russia-based bulletproof hosting (BPH) services provider, for supplying essential attack infrastructure to the LockBit ransomware gang. The coordinated effort aims to disrupt LockBit's operational capabilities and limit its ability to launch further ransomware attacks against global critical infrastructure.

Key Individuals and Their Roles

As part of the sanctions, two of Zservers’ key administrators, Russian nationals Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, were designated for their roles in facilitating LockBit's criminal activities. These individuals allegedly played crucial roles in directing LockBit virtual currency transactions and supporting ransomware operations.

The U.S. Office of Foreign Assets Control (OFAC) revealed that during a 2022 raid on a known LockBit affiliate, Canadian authorities discovered a laptop operating a virtual machine connected to a Zservers subleased IP address. This machine was running a LockBit malware control panel, directly implicating Zservers in cybercriminal activities.

In another instance, a Russian hacker reportedly acquired IP addresses from Zservers in 2022, which were later linked to LockBit’s chat servers. This infrastructure was likely used to coordinate ransomware activities. In 2023, Zservers continued its support by providing infrastructure, including a Russian IP address, to another LockBit affiliate.

Bulletproof Hosting and Its Role in Cybercrime

Bulletproof hosting providers like Zservers cater to cybercriminals by offering services that mask their locations, identities, and activities. These providers operate with minimal oversight, ensuring that threat actors can evade law enforcement while conducting illicit activities.

"Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure," said Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence.

The U.K. government also emphasized the importance of targeting BPH providers, stating:

"BPH providers like Zservers protect and enable cybercriminals, offering a range of purchasable tools that mask their locations, identities, and activities. Targeting these providers can disrupt hundreds or thousands of criminals simultaneously."

Sanctions and Legal Consequences

In addition to Zservers, Britain’s Foreign, Commonwealth, and Development Office has sanctioned XHOST Internet Solutions LP, a U.K.-based front company for Zservers. Four employees— Ilya Sidorov, Dmitriy Bolshakov, Igor Odintsov, and Vladimir Ananev—were also designated for their involvement in supporting LockBit ransomware attacks.

Following these sanctions:

• Organizations and citizens in the U.S., Australia, and the U.K. are prohibited from conducting transactions with the designated individuals and companies.
• Assets linked to these individuals and entities will be frozen.
• Financial institutions and foreign entities involved in transactions with these sanctioned entities may also face penalties.
• The latest sanctions follow the U.S. State Department's offer of up to $10 million for information on LockBit ransomware administrator Dmitry Khoroshev. Additional rewards of up to $15 million have been offered for details about LockBit ransomware owners, operators, administrators, and affiliates.

LockBit Arrests and Prosecutions

In recent years, multiple law enforcement agencies worldwide have taken aggressive actions against LockBit ransomware operators. In December 2023, the U.S. Justice Department charged a Russian-Israeli dual national suspected of developing malware and managing LockBit’s infrastructure.

Other notable arrests and charges include:

• Mikhail Pavlovich Matveev (aka Wazawaka): Indicted in May 2023 for his role in LockBit ransomware operations.
• Artur Sungatov & Ivan Gennadievich Kondratiev (aka Bassterlord): Arrested in February 2024.
• Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab): Indicted in May 2024 as one of LockBit’s primary operators.
• Ruslan Magomedovich Astamirov & Mikhail Vasiliev: Russian nationals who admitted to participating in at least a dozen LockBit ransomware attacks.

LockBit’s Impact and Law Enforcement Response

The U.S. Department of Justice and the U.K. National Crime Agency estimate that LockBit has extorted up to $1 billion in ransom payments since launching over 7,000 attacks between June 2022 and February 2024. LockBit first emerged in September 2019 and has since been responsible for high-profile ransomware attacks on entities such as:

1. Bank of America
2. Boeing
3. Continental automotive group
4. UK Royal Mail
5. Italian Internal Revenue Service

Operation Cronos and Law Enforcement Crackdown

In February 2024, international law enforcement agencies launched Operation Cronos, a coordinated effort to dismantle LockBit’s infrastructure. This operation resulted in the seizure of 34 servers containing over 2,500 decryption keys used to create a free LockBit 3.0 Black Ransomware decryptor.

Mitigation Strategies and Cybersecurity Recommendations

Given the persistent threat posed by ransomware groups like LockBit, organizations must implement robust cybersecurity measures to mitigate risks. Some best practices include:

1. Strengthening Network Security

Implement multi-factor authentication (MFA) for all user accounts.

Restrict administrative privileges to limit access to critical systems.

Deploy intrusion detection and prevention systems (IDPS) to monitor network activity.

2. Regular Security Updates

Ensure all operating systems and applications are patched and updated to prevent exploitation of known vulnerabilities.

Use endpoint detection and response (EDR) solutions to identify potential threats in real-time.

3. Data Protection & Backups

Maintain offline backups of critical data to ensure resilience against ransomware attacks.

Encrypt sensitive data to protect against unauthorized access and exfiltration.

4. Employee Awareness & Training

Conduct regular phishing awareness training to help employees recognize social engineering attacks.

Establish a clear incident response plan to mitigate damage in the event of an attack.

Broader Implications of These Sanctions

The sanctions against Zservers and its associated entities represent a significant step in dismantling cybercriminal networks that facilitate ransomware operations. However, the fight against ransomware remains an ongoing challenge as cybercriminals continuously adapt their tactics.

By targeting bulletproof hosting providers and their operators, law enforcement agencies aim to disrupt the foundational infrastructure that enables cybercrime. These actions send a strong message to ransomware groups worldwide: law enforcement is closing in, and their operations will not go unpunished.

Conclusion

The coordinated sanctions against Zservers, LockBit affiliates, and related entities highlight the increasing global effort to combat ransomware threats. With law enforcement agencies tightening their grip on cybercriminal infrastructure, ransomware groups face growing challenges in maintaining their operations.

For organizations, the best defense against ransomware remains proactive cybersecurity measures, employee education, and collaboration with law enforcement to report and mitigate threats. As governments continue cracking down on cybercriminal networks, organizations and individuals must remain vigilant to prevent falling victim to the next major ransomware attack.