U.S. Sanctions Russian Hosting Service for Ransomware Role

The United States, United Kingdom, and Australia have jointly imposed sanctions against Russian bulletproof hosting services accused of enabling ransomware operations and other cybercrimes. These providers lease server infrastructure to criminal actors while deliberately ignoring takedown requests from law enforcement and abuse reports from victims. By marketing themselves as “bulletproof,” these hosting firms actively support phishing campaigns, malware distribution, command-and-control servers, and illegal content hosting.

One primary target is Media Land, designated by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) for assisting multiple ransomware syndicates, including LockBit, BlackSuit, and Play. The company’s infrastructure also reportedly facilitated distributed denial-of-service (DDoS) attacks against American telecommunications networks and other critical infrastructure. Three affiliated businesses, Media Land Technology, Data Center Kirishi, and ML Cloud, were similarly sanctioned.

Authorities also identified three Media Land executives involved in the operation. Aleksandr Volosovik, known online as “Yalishanda,” promoted the service on cybercrime forums. Kirill Zatolokin managed customer payments, while Yulia Pankova handled legal and financial matters. According to British officials, Volosovik collaborated with several notorious cybercrime organizations, including Evil Corp, Black Basta, and LockBit.

OFAC further designated Aeza Group LLC, a bulletproof hosting provider previously sanctioned in July, along with UK-based Hypercore Ltd, which served as a front company for Aeza after the initial sanctions. Additional technical support companies in Serbia and Uzbekistan were also named.

Under Secretary for Terrorism and Financial Intelligence John K. Hurley emphasized that these hosting providers supply essential services enabling cybercriminals to target businesses in the U.S. and allied nations. U.K. Foreign Secretary Yvette Cooper added that cybercriminals mistakenly believe they can operate with impunity, noting that international cooperation is exposing their networks and holding them accountable.

In a related development, Five Eyes cybersecurity agencies released joint guidance to help internet service providers and network defenders combat malicious activities linked to bulletproof hosting. Recommendations include developing high-confidence blocklists using threat intelligence, performing regular traffic analysis, and deploying filters at network perimeters, while taking care not to disrupt legitimate communications.

Internet providers can further bolster security by notifying customers about malicious resources and implementing “know your customer” protocols that require verified identification from new clients. This measure addresses the common practice among bulletproof hosts of rapidly switching contact details and using temporary email addresses and phone numbers.

The sanctions freeze all assets belonging to the designated entities and individuals within the U.S., U.K., and Australia. Any organization or person conducting business with them may face secondary sanctions or enforcement actions. This action follows a similar move in February, when the same three nations sanctioned another Russia-based hosting provider, ZServers/XHost, for supporting the LockBit ransomware gang. Dutch authorities subsequently seized 127 servers belonging to that service.

(Source: Bleeping Computer)