Coordinated sanctions hit Russian bulletproof hosting providers enabling top ransomware Ops
November 20, 2025
US, Australia and UK sanctioned 2 Russian bulletproof hosting providers accused of aiding groups like LockBit, BlackSuit and Play.
US, Australia and UK sanctioned two Russian bulletproof hosting providers accused of aiding groups like LockBit, BlackSuit and Play.
Coordinated sanctions hit Russia-based provider Media Land, its leaders, and sister firms for supplying bulletproof hosting that enables ransomware and cybercrime.
“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the United Kingdom’s Foreign Commonwealth and Development Office are announcing coordinated sanctions targeting Media Land, a Russia-based bulletproof hosting (BPH) service provider, for its role in supporting ransomware operations and other forms of cybercrime.” reads the announcement published by OFAC. “BPH service providers sell access to specialized servers and other computer infrastructure specifically designed to evade detection and defy law enforcement efforts to disrupt malicious cyber activities.”
Media Land is a St. Petersburg–based bulletproof hosting provider used by major ransomware groups. Its infrastructure also supported DDoS attacks on U.S. companies and critical infrastructure. Sister company ML Cloud often worked alongside Media Land in these operations. General director Aleksandr Volosovik (“Yalishanda”) supplied servers and support to cybercriminals, while employee Kirill Zatolokin managed payments and coordinated with other actors. OFAC designated Media Land, ML Cloud, Volosovik, and Zatolokin under E.O. 13694 for contributing to cyber activities threatening U.S. national security. Yulia Pankova was designated for assisting Volosovik financially and legally. Subsidiaries Media Land Technology and Data Center Kirishi were also sanctioned as entities controlled by Media Land.
According to OFAC, after it sanctioned Aeza Group and its leaders in July 2025, the group launched a rebranding effort to hide links to its new infrastructure. OFAC’s new actions show its commitment to countering sanctions-evasion by cybercriminals. Hypercore Ltd., a UK company used by Aeza to shift IP infrastructure after the sanctions, is now designated for acting on Aeza’s behalf. Aeza’s new director, Maksim Makarov, is designated to lead the evasion strategy, while Ilya Zakirov is designated for creating front companies and payment channels to obscure Aeza’s operations. Two firms used by Aeza, Smart Digital Ideas (Serbia) and Datavice (Uzbekistan), are also designated for supporting or being controlled by Aeza. CISA and partners have issued guidance to mitigate risks linked to bulletproof hosting providers.
The sanctions block all U.S.-controlled property of designated individuals and entities, including any companies they own 50% or more. U.S. persons are generally prohibited from any transactions involving these blocked parties unless authorized by OFAC. Anyone, financial institutions included, who engages with sanctioned entities risks enforcement actions or additional sanctions. Providing or receiving funds, goods, or services to or from designated parties is forbidden. Violations may lead to civil or criminal penalties under OFAC’s enforcement guidelines.
Government agencies from the Five Eyes and the Netherlands issued a joint advisory on reducing risks from bulletproof hosting (BPH) providers. They urge ISPs and network defenders to block malicious ASNs, IP ranges, and IPs, supported by curated threat lists, traffic analysis, automated reviews, proper logging, intelligence sharing, and Secure-by-Design services. ISPs should also inform customers, offer ready-to-use filters, collaborate with peers, and adopt strong internet routing security practices.
“Mitigating cybercriminal activity enabled by BPH providers requires a nuanced approach because BPH
infrastructure is integrated into legitimate internet infrastructure systems, and actions from ISPs or
network defenders may impact legitimate activity.” states the advisory. “The authoring agencies encourage ISPs and network defenders to apply the recommendations in this document, including curating a list of “high confidence” malicious internet resources and using the list to implement filters. By doing so, ISPs and network defenders can mitigate cybercriminal activity perpetuated by BPH infrastructure. This will help reduce the effectiveness of this infrastructure and potentially force cybercriminals to use legitimate infrastructure providers who are responsive to cyber threat abuse complaints and law enforcement takedown requests.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, bulletproof hosting)