Today, the United States, the United Kingdom, and Australia announced sanctions targeting Russian bulletproof hosting (BPH) providers that have supported ransomware gangs and other cybercrime operations.
BPH providers that lease servers to cybercriminals to help them hinder disruption efforts targeting their malicious activities, including phishing attacks, malware delivery, command and control operations, and illicit content hosting. They market themselves as “bulletproof” because they ignore victim complaints and law enforcement takedown requests.
The Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Media Land, which has provided services to various cybercrime marketplaces and multiple ransomware groups, including LockBit, BlackSuit, and Play, as well as three sister companies (Media Land Technology, Data Center Kirishi, and ML Cloud).
Media Land’s infrastructure was also used in distributed denial-of-service (DDoS) attacks against U.S. companies and critical infrastructure, including telecommunications systems, according to U.S. officials.
Today’s sanctions also target three Media Land executives: Aleksandr Volosovik (who has advertised the business on cybercriminal forums under the alias “Yalishanda”), Kirill Zatolokin (who collects customer payments), and Yulia Pankova (who assisted with legal issues and finances).
According to the U.K.’s Foreign Commonwealth and Development Office, Volosovik has also worked with multiple notorious cybercrime groups, including Evil Corp, Black Basta, and LockBit.
OFAC also designated Aeza Group LLC, another BPH service provider previously sanctioned in July, and UK-based Hypercore Ltd, which Aeza used as a front company after being sanctioned, along with Serbian and Uzbek companies that provided technical support.
“These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley.
“Cyber criminals think that they can act in the shadows, targeting hard working British people and ruining livelihoods with impunity. But they are mistaken – together with our allies, we are exposing their dark networks and going after those responsible,” U.K. Foreign Secretary Yvette Cooper added.
Today, Five Eyes cybersecurity agencies also released joint guidance to help internet service providers and network defenders mitigate cybercriminal activity using infrastructure provided by bulletproof hosting providers.
They advised creating “high confidence” lists of malicious internet resources using threat intelligence feeds, conducting regular traffic analysis, and implementing filters at network boundaries, while also considering the impact of these measures on legitimate traffic.
ISPs can also strengthen defenses by notifying customers about malicious resource lists and by establishing “know your customer” capabilities that require verified identity information from new clients, as bulletproof providers are known to often switch between temporary email addresses and phone numbers.
The sanctions freeze all property of designated individuals and entities in the U.S., the U.K., and Australia, while exposing entities and individuals conducting transactions with them to secondary sanctions or enforcement actions.
In February, the three nations also sanctioned ZServers/XHost, another Russia-based BPH service provider, for supplying the LockBit ransomware gang with attack infrastructure, while Dutch police dismantled its infrastructure by seizing 127 servers.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.