Ending the Ransomware Scourge Requires Punishing Its Enablers

Washington and its allies took a bite out of cybercrime on Tuesday in a series of coordinated steps against ransomware actors and their internet infrastructure. The U.S. Department of the Treasury and its British and Australian counterparts sanctioned Russian web hosting company Zservers for providing network infrastructure to cybercriminals. Additionally, the U.S. Department of Justice unsealed indictments against two Russian nationals arrested overseas for operating a ransomware group, while the FBI, Europol, German law enforcement, and other partners disrupted 100 of the group’s servers. The sanctions, arrests, and digital takedowns send a strong message but will likely only have a meaningful impact in the very short term.

Russian Internet Service Providers Support Ransomware

The joint sanctions block Zservers from transacting with the U.S. financial system. As a Russian-based internet hosting company, it likely has limited, if any, connections to U.S. banking. The sanctions may be more impactful in Europe, however, as the UK government also sanctioned Zservers’s British front company XHOST Internet Solutions LP.

The U.S. Treasury, the UK Foreign, Commonwealth and Development Office, and Australia’s Department of Foreign Affairs and Trade accused Zservers of directly marketing its “bulletproof hosting” services to cybercriminals. The company — and others like it — rent IP addresses and servers to cybercriminals and refuse to cooperate with law enforcement, shielding cybercriminals from prosecution.

Washington and its allies highlighted Zservers’s support for ransomware group LockBit, a particularly prolific ransomware actor. Even after a global law enforcement operation seized much of its infrastructure last year, the group has persisted, likely because of its ability to reconstitute its digital infrastructure. A new report from the Information Technology-Information Sharing and Analysis Center (IT-ISAC) — an industry collective for sharing threat information — found LockBit to be the second most active group in 2024.

Artificial Intelligence Is Posed to Make Ransomware Worse

The IT-ISAC further warned that ransomware groups are beginning to use artificial intelligence (AI) to “streamline” operations, “using AI to perform tasks that free up humans to perform other activities — and to create more sophisticated attacks.” While AI has not yet become a game changer for cyberattacks or malicious foreign influence campaigns, hackers are using it to remove errors from their malware and to create ever more convincing deepfake videos. The FBI warned late last year that cybercriminals are using AI to create more effective financial fraud schemes, while British intelligence has cautioned that the “use of available AI models to improve access will contribute to the global ransomware threat in the near term.”

Time to Target Ransomware’s Safe Havens

Thwarting cybercriminals’ ability to leverage AI requires Western technology companies to build models with ever more robust security parameters that will detect and refuse to answer requests for assistance with writing malicious code. Additionally, the United States and its allies should press forward with export controls on key enabling technologies to restrict the computing power and sophistication of AI platforms built by authoritarian countries.  

However, the existing U.S. economic coercion and law enforcement tools are unlikely to turn the tide on ransomware as long as criminal groups receive safe haven in Russia. It is well past time to hold the Kremlin accountable by creating a formal designation similar to state sponsors of terrorism but for “state sponsors of cybercrime.” As cyber policy experts argued in a report last fall, such a designation would acknowledge “the symbiotic relationships that often exist between state actors and cybercriminal organizations.” Russia, the authors note, exemplifies this model.

Annie Fixler is a research fellow at the Foundation for Defense of Democracies (FDD) the director of FDD’s Center on Cyber and Technology Innovation (CCTI), where Rohannah Shrestha is an intern. For more analysis from the authors, CCTI, and FDD’s Russia Program, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.