"It is important to acknowledge that although sanctions might impede ransomware operations by targeting their infrastructure, ransomware groups such as LockBit are highly adaptive and well-connected, and will likely have other providers they're able to call on," says Andrew Costis, engineering manager of the Adversary Research Team at security firm AttackIQ. The Department of the Treasury's Office of Foreign Assets Control (OFAC), Australia's Department of Foreign Affairs and Trade, and the United Kingdom's Foreign Commonwealth and Development Office jointly sanctioned Zservers, based in Barnaul, Russia, for enabling "ransomware attacks and other criminal activity," the Treasury Department revealed in a press release Feb. "The recently announced sanctions and law enforcement actions against Zservers will aid in disrupting ransomware groups by targeting their infrastructure, seizing servers, and blocking financial transactions," he says. Allegedly, Zservers has provided BPH services, including leasing numerous IP addresses, to LockBit affiliates, who have used the hosting services to coordinate and launch ransomware attacks, according to international law enforcement, which collected evidence over several years to come to this conclusion. "Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on Us and international critical infrastructure," Bradley T. The latest sanctions against Zservers are a continuation of multinational law-enforcement actions aimed at putting LockBit — which has committed severely disruptive ransomware attacks against numerous global organizations — permanently out of commission. Law enforcement investigating LockBit discovered the criminal activity of Zservers after the company advertised its BPH services on known cybercriminal forums, according to the Treasury Department. Also that year, a Russian cybercriminal purchased IP addresses from Zservers, which the department said was likely for use to power LockBit chat servers to discuss ransomware operations. Still, sanctions alone may not necessarily disrupt LockBit and other ransomware groups entirely, meaning that organizations must remain vigilant, Barr says. The US government has joined Australia and the UK in sanctioning a Russia-based bulletproof hosting (BPH) services provider and two of its administrators for the company's role in supporting LockBit ransomware attacks. US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang. However, sanctions should make it more difficult for cybercriminals to operate by increasing their costs and forcing attackers to find less effective methods to commit ransomware attacks, another security expert says.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 12 Feb 2025 19:39:03 +0000