New sanctions were issued this week, U.S. officials say.
The U.S. Department of State said it is cracking down on Russian ransomware networks and gangs, announcing new sanctions this week against a Russian internet service provider and several Russian citizens.
In a
statement, the State Department said that U.S., UK, and Australian officials said they are sanctioning Zservers, a bulletproof hosting services provider that allegedly backed ransomware attacks by the LockBit group. Bulletproof hosting providers (BPHs) allow for web services that can be considered illegal or controversial, such as distributing malware, illegal gambling, botnets, phishing attacks, or spam.
“As a BPH service provider, Zservers provided cybercriminals access to specialized servers and other computer infrastructure designed to resist law enforcement action,” the State Department’s spokesperson Tammy Bruce said in the statement on Tuesday.
Ransomware is a type of malware that encrypts the data of a victim by locking them out of their files before demanding a payment in exchange for a key to unlock the software, officials say. The malware is often distributed via phishing emails or by exploiting software vulnerabilities.
Russia was also alleged by the State Department to provide “safe harbor for cybercriminals where groups are free to launch and support ransomware attacks against the United States and its allies and partners.”
Two Russian nationals who operated Zservers, Aleksandr Sergeyevich Bolshakov and Alexander Igorevich Mishin, received U.S. sanctions, the U.S. Treasury
said in a separate statement.
“Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure,” Bradley Smith, acting undersecretary of the Treasury for Terrorism and Financial Intelligence, said in a
statement.
The action follows joint U.S., UK, and Australia cyber sanctions last year targeting the Evil Corp ransomware group, U.S. officials said on Feb. 11.
According to Treasury officials, LockBit, which is based in Russia, is considered among “the most deployed ransomware variants and was responsible for the November 2023 attack against the Industrial Commercial Bank of China U.S. broker-dealer.”
In 2022, officials in Canada searched an affiliate of LockBit and uncovered a laptop that operated a virtual machine connected to Zservers’ IP address and was running a program used to operate LockBit’s ransomware, the Treasury said.
Last year, the U.S. government
said it was offering up to $15 million reward for information on the leaders of LockBit that could lead to their arrests and convictions. Weeks after that, U.S. officials announced sanctions on Dmitriy Yuryevich Khoroshev, a Russian national described as a senior leader in the ransomware group.
Meanwhile, UK officials
said in 2024 that Khoroshev is the “administrator and developer of the LockBit ransomware group” and was only recently identified because he “thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity.”
Since January 2020, LockBit has been used to attack a variety of organizations, businesses, and government entities as well as critical infrastructure sections such as agricultural, financial services, energy, emergency services, and more, the U.S. Cybersecurity and Infrastructure Agency (CISA)
said in an update in 2023.
In an update last year, the Department of Justice estimated that LockBit had
targeted more than 2,000 victims and acquired more than $120 million in ransom payments while making hundreds of millions of dollars in demands.
Reuters contributed to this report.
