Full Report
The U.S., the U.K. and Australia sanctioned Russia-based Zservers, connecting the company's internet hosting services to the LockBit ransomware operation.
Analysis Summary
# Threat Actor: LockBit Ransomware Group (Supported by Zservers)
## Attribution & Identity
The primary threat actor discussed is the **LockBit ransomware group**. The article focuses heavily on the sanctioning of **Zservers**, a Russian bulletproof hosting service provider based in Barnaul, Russia, which materially assisted, sponsored, and provided technological support to LockBit affiliates.
**Associated Actors/Affiliates:**
* Russian nationals sanctioned alongside Zservers: **Alexander Igorevich Mishin** (Administrator, involved in advertising and managing crypto payments) and **Aleksandr Sergeyevich Bolshakov** (Administrator).
* Six additional members of Zservers sanctioned by the UK: **Ilya Sidorov, Dmitriy Bolshakov, Igor Odintsov, and Vladimir Ananev**, alongside a UK front company named **XHOST Internet Solutions LP**.
* Previously detained LockBit affiliate whose home was raided in Canada (2022).
* Tied historically to actions against members of the **Evil Corp** cybercrime group (e.g., via linked sanctions).
## Activity Summary
The core activity summarized is the disruption of LockBit's operational support by sanctioning Zservers. LockBit affiliates frequently leased infrastructure (IP addresses, servers, domains) from Zservers to facilitate ransomware operations.
* **Recent/Notable Campaign:** Use of Zservers infrastructure was implicated in LockBit’s **2023 attack against the Industrial Commercial Bank of China (ICBC)**.
* **Operational Context:** LockBit has repeatedly attempted to revive itself after a major international takedown, continuing to repost previous victims' data and market new incidents.
## Tactics, Techniques & Procedures
The TTPs listed relate primarily to the infrastructure used to conduct their attacks, facilitated by Zservers:
* **Ransomware Deployment:** Utilizing bulletproof hosting services for launching ransomware attacks.
* **Infrastructure Leasing:** Leasing IP addresses, servers, and domains from providers like Zservers.
* **Malware Dissemination:** Using leased resources for disseminating malware.
* **Botnet Formation:** Utilizing infrastructure for creating botnet armies.
*MITRE ATT&CK IDs are not explicitly mentioned in the source material.*
## Targeting
The focus of the discussion is the reliance on infrastructure, but historical targeting patterns are implied:
* **Sectors:** Implied targeting of **critical infrastructure** globally, as US officials stated cybercriminals rely on these services to attack *U.S. and international critical infrastructure*.
* **Geography:** Global targeting, evidenced by the specific mention of the attack on a Lebanese organization and the **Industrial Commercial Bank of China**.
* **Victims:** **Industrial Commercial Bank of China (ICBC)** (mentioned specifically related to a 2023 attack).
## Tools & Infrastructure
* **Malware Families Used:** **LockBit Ransomware** (primary malware).
* **Infrastructure (C2, domains, IPs):** **Zservers** (bulletproof hosting provider specializing in offering IP addresses, servers, and domains for illicit activities). Infrastructure provided by Zservers enables command and control, malware dissemination, and fraud operations.
## Implications
The actions against Zservers highlight a strategic shift by law enforcement to target the **enablers** (bulletproof hosting providers) of major ransomware operations, rather than just the actors themselves. Russia is identified as a state that "continues to offer safe harbor for cybercriminals." Disrupting this supply chain of malicious infrastructure is intended to weaken the capacity of groups like LockBit to conduct serious economic or infrastructure harm.
## Mitigations
* **Supply Chain Disruption:** Targeted sanctions and disruption against third-party network service providers (like bulletproof hosting) used by cybercriminals.
* **International Cooperation:** Continued trilateral cooperation (e.g., US, UK, Australia) to disrupt the entire criminal ecosystem, regardless of location.
* **Attribution and Enforcement:** Continued tracking and sanctioning of individuals facilitating criminal infrastructure (e.g., managing payments, advertising illicit services).