On February 11, 2025, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC), the United Kingdom’s Foreign Commonwealth and Development Office (FCDO), and Australia’s Department of Foreign Affairs and Trade (DFAT) jointly sanctioned Zservers, a Russian-based bulletproof hosting (BPH) provider, for its role in facilitating ransomware attacks by the LockBit gang. LockBit has been one of the most active ransomware groups in recent years, targeting businesses, hospitals, and government entities worldwide. In 2022, LockBit was the most deployed ransomware variant across the globe.
The sanctions and their scope
Zservers and its operators have been added to sanctions lists in the US, UK, and Australia. The US designation includes two Russian nationals - Aleksandr Sergeyeevich Bolshakov and Alexander Igorevich Mishin - as well as three cryptocurrency addresses tied to Zservers. The UK also sanctioned four additional employees and a UK-based front company, XHOST Internet Solutions LP.
Australia has listed Zservers as well as the owners and a number of employees of the company, along with XHOST Internet Solutions LP. Certain owners and employees are known only by pseudonyms. Australia does not specifically list wallet addresses in its sanctions list, although dealings in a sanctioned person's crypto-assets will be covered by sanctions and subject to freezing and seizure.
The UK government described Zservers as “a key component of the Russian cybercrime supply chain,” noting its role in providing essential infrastructure for ransomware attacks, including those targeting hospitals.
Australia's DFAT linked the action to its first cybercrime related sanctions issued last year against Aleksandr Ermakov over the Medibank Private cyberattack. The Zserver's action is Australia's first cyber sanction against a business and the first sanction for the provision of services or infrastructure used to engage in cybercrime.
How does Zservers work?
Zservers provides anonymous hosting services and operates data centers across various countries, such as Russia, Bulgaria, the Netherlands, the US, and Finland. While BPH services can be used for legitimate purposes, they are also attractive to cybercriminals due to their lenient policies on hosted content.
Zservers advertises its services openly, offering server administration, equipment rental, and custom configurations. This accessibility has made it a preferred choice for illicit actors seeking to conduct ransomware operations while evading law enforcement scrutiny.
Blockchain analysis firm Chainalysis has identified at least USD $5.2 million in on-chain transactions linked to Zservers, with direct connections to multiple ransomware affiliates beyond LockBit. These funds have been funneled through sanctioned exchange Garantex and various decentralised and anonymous crypto services, highlighting the financial networks used to facilitate ransomware operations.
Conclusion
The coordinated sanctions against Zservers reinforce government efforts to step up action on ransomware and the importance of international collaboration in combating cybercrime. Last year’s law enforcement action against LockBit disrupted its operations, and this latest move continues efforts to dismantle the infrastructure supporting ransomware groups.
While cybercriminal networks constantly adapt, targeting service providers like Zservers makes it more difficult for them to operate. By disrupting the financial and technical infrastructure behind ransomware, governments are increasing the cost and risk for those involved in these illicit activities.
Written by Steven Pettigrove and Luke Higgins
Comments