US, UK and Australia Sanction Bulletproof Hosting Provider Linked to LockBit

The United States, United Kingdom, and Australia jointly sanctioned Zservers, a Russia-based bulletproof hosting (BPH) provider, for supporting the LockBit ransomware group, Bleeping Computer reports.

Zservers offered resilient servers to LockBit affiliates, facilitating ransomware attacks that have extorted over $120 million from thousands of victims worldwide since 2019.  

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) also designated two Russian nationals, Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, key administrators of Zservers.  

They were involved in marketing BPH services to cybercriminals and managing virtual currency transactions supporting LockBit's activities.  

Investigations revealed that Zservers provided infrastructure enabling LockBit's operations. In a 2022 raid, Canadian authorities discovered a laptop connected to a Zservers subleased IP address, running a LockBit malware control panel. Further, in 2023, Zservers leased infrastructure, including a Russian IP address, to a LockBit affiliate.  

These sanctions prohibit organizations and citizens of the sanctioning countries from conducting transactions with the designated individuals and entities. All associated assets will be frozen, and financial institutions or foreign entities involved with them may face penalties.  

This action underscores the collaborative resolve of these nations to disrupt cybercriminal ecosystems and protect international critical infrastructure from ransomware threats.

Takeaway: The sanctions imposed on Zservers highlight the critical role that hosting providers play in facilitating cybercriminal activities. This action underscores the importance of scrutinizing such entities, a concern previously addressed in the Halcyon investigation into Cloudzy, another hosting provider implicated in supporting malicious actors.

The Halcyon report revealed that Cloudzy has been providing services to a range of threat actors, including state-sponsored hacking groups from countries such as China, Iran, North Korea, Russia, India, Pakistan, and Vietnam.  

The investigation also linked Cloudzy's infrastructure to Candiru, an Israeli spyware vendor sanctioned by the U.S. government. The Halcyon research indicated that Cloudzy operates as a Command-and-Control Provider (C2P), offering services to attackers while maintaining a legitimate business profile.  

The company accepts cryptocurrencies in exchange for anonymous use of its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services, which have been utilized by various threat actors for malicious activities.  

The parallels between Zservers and Cloudzy are evident. Both companies offer services that are exploited by cybercriminals and state-sponsored groups to conduct malicious operations.  

While Zservers has been directly sanctioned for its involvement, Cloudzy's activities, as detailed by Halcyon, suggest a similar pattern of behavior that could warrant regulatory scrutiny.

These developments emphasize the necessity for organizations to thoroughly assess their associations with hosting providers. Engaging with companies that may be complicit in cybercriminal activities not only poses security risks but also legal and reputational consequences.  

Halcyon recommends that organizations review their associations with providers like Zservers and Cloudzy and consider the legal implications of continued engagement with the company. They also advise security teams to monitor for indicators of compromise related to Zserver and Cloudzy infrastructure to prevent potential attacks.  

In conclusion, the sanctions against Zservers serve as a pertinent reminder of the broader issue of hosting providers facilitating cybercrime. The findings from the Halcyon investigation into Cloudzy further illustrates the need for vigilance and due diligence in selecting service providers, ensuring they uphold ethical standards and comply with international regulations to mitigate the risk of cyber threats.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.