On February 11, 2025, the United States joined Australia and the United Kingdom to jointly sanction Zservers, a Russia-based bulletproof hosting (“BPH”) services provider that played a role in the global ransomware attacks carried out by LockBit, a Russia-based ransomware group. According to OFAC, Zservices provided LockBit affiliates with leased IP addresses and other services used to coordinate and launch ransomware attacks around the world.
OFAC reported that, in addition to Zservers, it designated Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov, two Russian nationals who serve as Zservers administrators. The designations were imposed pursuant to Executive Order 13694, as amended by EO 14144, for engaging in cyber-enabled activities originating outside of the United States that threaten the national security, foreign policy or the economic health and stability of the United States. As a result of these designations, all property and interests in property of the designated persons within the United States or within the possession or control of a U.S. person are blocked, and U.S. persons are generally prohibited from engaging in transactions involving a designated person. Entities owned 50 percent or more by one or more blocked persons are also blocked.
On February 11, 2025, the UK Foreign, Commonwealth and Development Office announced that, in addition to the designation of Zservers, UK authorities sanctioned XHost Internet Solutions LP, Zservers’ UK front company, and six employees of Zservers, including Mishin and Bolshakov. The UK Government described Zservers as a key component of the Russian cybercrime supply chain that provides cybercriminals with the infrastructure needed to plan and execute ransomware attacks – attacks that generated $1 billion from victims around the world in 2023 alone. These designations were imposed under the Cyber (Sanction) (EU Exit) Regulations 2020 (SI 2020/597), which subject listed persons to assets freezes in the United Kingdom.
On February 12, 2025, the Government of Australia announced that it had sanctioned Zservers and five Russian cybercriminals, including Mishin and Bolshakov, in connection with the 2022 cyberattack against Medibank Private that resulted in the theft of personal and sensitive media information from millions of Medibank customers. According to Australia’s Minister for Foreign Affairs, Zservers and the five newly-sanctioned individuals provided the network infrastructure and services used to hold and release the data stolen from Medibank. The designees also allegedly enabled other cybercrimes, including ransomware activities by affiliates of LockBit and BianLian. The Australian Government reported that this was the first time that it imposed cyber sanctions on an entity and the first time that sanctions were imposed on persons that provided network infrastructure and services that enabled cyberattacks.
U.S. Department of Treasury Press Release | UK Government Press Release | OFSI Financial Sanctions Notice – Cyber | Australian Government Media Release