Recently, the United States, Australia, and the United Kingdom talked about activities in continuing initiatives to break up the operation of the LockBit ransomware group, which includes collectively targeting Zservers for its part in helping two Russian nationals and LockBit ransomware attacks.
An international law enforcement operation called Operation Cronos targeted the group with the help of law enforcement agencies from 10 nations. Starting in February 2024, the operation disrupted the group’s operations at various levels. The seized infrastructure included 34 servers in different countries, the data leak website, and cryptocurrency accounts associated with the ransomware group. After releasing international arrest warrants, people were detained. The group is still active yet its operations have been limited since then.
Operations to break up the group are ongoing. About one year after the announcement of Operation Cronos, the United Kingdom’s Foreign Commonwealth, Australia’s Department of Foreign Affairs and Trade, and the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) targeted Zservers, which is based in Russia. Zservers offers a bulletproof hosting service (BHS) and was found helping the LockBit ransomware group, including two Russian nationals identified as Zservers administrators.
BHS providers offer access to specialized servers and systems created to avoid detection and analysis from cybersecurity firms and escape law enforcement disruption efforts. Ransomware groups use BHS services to make it easy to attack U.S. companies (and sometimes violate HIPAA laws) and critical infrastructure. Zservers is based in Barnaul, Russia, and promotes its offerings on cybercriminal community forums. Zservers has worked with ransomware groups like LockBit to organize and conduct ransomware attacks.
In 2022, law enforcement searched the property of an identified LockBit affiliate in Canada. A laptop was found running a virtual device linked to an IP address rented by Zservers to manage a programming interface for using LockBit ransomware. Other law enforcement actions from 2022 to 2023 discovered IP addresses and facilities bought from Zservers used for LockBit ransomware operations. Dutch authorities not long ago reported that 127 servers operated by Zservers were taken during an operation in Amsterdam. The servers contained botnets, ransomware, and other malware.
The three countries sanctioned Aleksandr Sergeyevich Bolshakov and Alexander Igorevich Mishin. The sanctions indicate that all properties of the two persons in the U.S. or under the name of U.S. individuals are blocked and should be reported to OFAC. Any owned entities, individually or in combination, 50% and up by one or both blocked individuals are also blocked. Any financial organizations or individuals that transact with the sanctioned organizations and persons may allow themselves to be sanctioned or subjected to enforcement actions, with possible severe penalties.
Cybercriminals and ransomware actors depend on third-party BHS providers like Zservers to facilitate their attacks on U.S. and global critical infrastructure. The operation by the three nations highlights the importance of collective action to stop this criminal ecosystem, wherever based, to safeguard national security.
Image credit: ©zservers / sdecoret, AdobeStock
