US, allies sanction Russian bulletproof hosting services for ransomware support

A popular Russian bulletproof hosting service provider named Media Land was sanctioned by the U.S. Treasury and international partners on Wednesday for its alleged support of ransomware gangs and other cybercriminal operations. 

The St. Petersburg-based company provides hackers with access to IP addresses, servers and domains that are used to spread malware, form botnet armies and carry out ransomware attacks. 

The U.S., U.K. and Australia accused Media Land of providing services to online criminal marketplaces as well as ransomware groups like Lockbit, BlackSuit and Play. The company’s services were also used in several distributed denial-of-service (DDOS) attacks on U.S. critical infrastructure entities, the Treasury said. 

The three countries also sanctioned Data Center Kirishi and ML Cloud — sister companies of Media Land that provide other technical infrastructure to ransomware gangs. 

The sanctions include Aleksandr Volosovik, Media Land’s general director, his financial manager Yulia Pankova and Kirill Zatolokin, who is allegedly responsible for collecting payment from customers and coordinating services with cybercriminals. 

“These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” said John Hurley, a Treasury Department undersecretary.

The companies market themselves as “bulletproof” because they do not respond to victim complaints or legal filings from those impacted by cyberattacks enabled by their services. 

Aeza Group sanctions

The U.S. and U.K. also sanctioned Hypercore, a front company for another bulletproof hosting service called Aeza Group. 

The Treasury hit Aeza Group with its own sanctions in July, but officials said Wednesday that the company rebranded and created new infrastructure removing connections to the previous operation. 

Hypercore is registered in the U.K. and is being used by Aeza Group to evade the sanctions, they said. Maksim Vladimirovich Makarov, the new director of Aeza Group, was also sanctioned alongside another company employee, Ilya Vladislavovich Zakirov. 

Two other front companies based in Serbia and Uzbekistan named Smart Digital Ideas DOO and Datavice MCHJ were included in the tranche of sanctions. 

The St. Petersburg-based Aeza Group has allegedly provided hosting services to ransomware gangs like BianLian and the operators behind infostealing malware like RedLine, Lumma and Meduza. 

The Treasury Department previously accused Aeza Group of helping hackers target U.S. defense companies and technology firms. Cybersecurity researchers have also linked Aeza Group to the pro-Kremlin disinformation campaign known as Doppelgänger, which has been active in Europe since at least 2022. 

Alongside the sanctions, the Cybersecurity and Infrastructure Security Agency (CISA) and other U.S.  agencies released a guide on how organizations can deal with the risks presented by bulletproof hosting providers.

Developed by the Joint Ransomware Task Force, the guide is designed to help internet service providers and network defenders “combat the escalating threat of ransomware attacks.”

“Bulletproof hosting is one of the core enablers of modern cybercrime,” said acting CISA Director Madhu Gottumukkala. “By shining a light on these illicit infrastructures and giving defenders concrete actions, we are making it harder for criminals to hide and easier for our partners to protect the systems Americans rely on every day.”

Nick Andersen, executive assistant director for the cybersecurity division at CISA, added that bulletproof hosting platforms are increasingly common accomplices used to help cybercriminals remain undetectable and difficult to trace.

The goal of the guide, CISA explained, is to reduce the effectiveness of bulletproof hosting infrastructure and force cybercriminals to use legitimate infrastructure providers that will respond to victim complaints and law enforcement takedown requests. 

Law enforcement agencies have targeted a handful of Russian bulletproof hosting providers in the last year, including Zservers, Lolek Hosted and others. Several people have been sentenced to years in prison for their roles running the services.