Sanctions For “Bulletproof” Hosting Firm

The United States, United Kingdom and Australia have jointly sanctioned Russian web hosting company Media Land and several related firms, alleging that the group provided resilient infrastructure used by ransomware gangs and other cybercriminals.

Coordinated Action Against a Cross Border Threat

The announcements were made on 19 November by the US Treasury, the UK’s Foreign, Commonwealth and Development Office, and Australia’s Department of Foreign Affairs and Trade. All three governments stated that Media Land, headquartered in St Petersburg, played a central role in supporting criminal operations by providing what officials describe as “bulletproof hosting” services that allow malicious activity to continue without interruption.

Sanctions List Published

The sanctions list published by the United States (on the US Treasury website) includes Media Land LLC, its sister company ML Cloud, and the subsidiaries Media Land Technology and Data Center Kirishi. Senior figures linked to the business have also been sanctioned. These include general director Aleksandr Volosovik, who is known online by the alias “Yalishanda”, employee Kirill Zatolokin, who managed customer payments and coordinated with other cyber actors, and associate Yulia Pankova, who is alleged to have assisted with legal issues and financial matters.

UK and Australia Too

The United Kingdom imposed similar measures, adding Media Land, ML.Cloud LLC, Aeza Group LLC and four related individuals to its Russia and cyber sanctions regimes. Australia followed with equivalent steps to align with its partners. Ministers in Canberra emphasised the need to disrupt infrastructure that has been used in attacks on hospitals, schools and businesses.

For Supporting Ransomware Groups

US officials say Media Land’s servers have been used to support well known ransomware groups, including LockBit, BlackSuit and Play. According to the US Treasury, the same infrastructure has also been used in distributed denial of service (DDoS) attacks against US companies and critical infrastructure. In his public statement, US Under Secretary for Terrorism and Financial Intelligence John K Hurley said that bulletproof providers “aid cybercriminals in attacking businesses in the United States and in allied countries”.

How “Bulletproof Hosting” Works

Bulletproof hosting is not a widely known term outside the security industry, yet it seems these services play a significant role in the cybercrime ecosystem. Essentially, they operate in a similar way to conventional hosting or cloud companies but differ in one important respect. They advertise themselves as resistant to takedown efforts, ignore or work around abuse reports, and move customers between servers and companies when law enforcement tries to intervene.

Providers frequently base their operations in jurisdictions where cooperation with Western agencies is limited. They also tend to maintain a network of related firms to shift infrastructure when attention increases. For criminal groups, this reduces the risk of losing control servers or websites that are used to coordinate attacks or publish stolen data.

The governments behind the latest sanctions argue that bulletproof services are not passive infrastructure providers, but actually they form part of a criminal support structure that allows ransomware groups and other threat actors to maintain reliable online operations, despite attempts by victims or investigators to intervene. Without that resilience, it’s likely that attacks would be harder to sustain.

Connections to Ransomware Activity

Ransomware remains one of the most damaging forms of cybercrime affecting organisations across the world. For example, attacks usually involve encrypting or stealing large volumes of data and demanding payment for decryption or for preventing publication. The UK government estimates that cyber attacks cost British businesses about fourteen point seven billion pounds in 2024, which equates to around half of one per cent of GDP.

In the UK government’s online statement, the UK’s Foreign Secretary Yvette Cooper described Media Land as one of the most significant operators of bulletproof hosting services and said its infrastructure had enabled ransomware attacks against the UK. She noted that “cyber criminals hiding behind Media Land’s services are responsible for ransomware attacks against the UK which pose a pernicious and indiscriminate threat with economic and societal cost”.

She also linked Media Land and related providers to other forms of malicious Russian activity, including disinformation operations supported by Aeza Group. The UK had previously sanctioned the Social Design Agency for its attempts to destabilise Ukraine and undermine democratic systems. Officials say Aeza has provided technical support to that organisation, illustrating how bulletproof hosting can be used to support a wide range of unlawful activity rather than only ransomware.

Maintaining Pressure on Aeza Group

Aeza Group, a Russian bulletproof hosting provider based in St Petersburg, has been under scrutiny for some time. The United States sanctioned Aeza and its leadership in July 2025. According to OFAC, Aeza responded by attempting to rebrand and move its infrastructure to new companies to evade the restrictions. The latest sanctions are intended to close those loopholes.

A UK registered company called Hypercore has been designated on the basis that it acted as a front for Aeza after the initial sanctions were imposed. The United States says the company was used to move IP infrastructure away from the Aeza name. Senior figures at Aeza, including its director Maksim Makarov and associate Ilya Zakirov, have also been sanctioned. Officials say they helped establish new companies and payment methods to disguise Aeza’s ongoing operations.

Serbian company Smart Digital Ideas and Uzbek firm Datavice MCHJ have also been added to the sanctions list. Regulators believe both were used to help Aeza continue operating without being publicly linked to the business.

What Measures Are Being Imposed?

Under US rules, all property and interests in property belonging to the designated entities that are within US jurisdiction must now be frozen. Also, US persons are now prohibited from engaging in transactions with them, unless authorised by a licence, and any company that is owned fifty per cent or more by one or more sanctioned persons is also treated as blocked.

As for the UK, it has imposed asset freezes, travel bans and director disqualification orders against the individuals involved. Aeza Group is also subject to restrictions on internet and trust services, which means UK businesses cannot provide certain technical support or hosting services to it. Australia’s sanctions legislation includes entry bans and significant penalties for those who continue to deal with the designated organisations.

Also, financial institutions and businesses are warned that they could face enforcement action if they continue to transact with any of the sanctioned parties. Regulators say this is essential to prevent sanctions evasion and to ensure that criminal infrastructure cannot continue operating through alternative routes.

New Guidance for Organisations and Critical Infrastructure Operators

Alongside the sanctions, cyber agencies in all three countries have now issued new guidance on how to mitigate risks linked to bulletproof hosting providers. The guidance explains how these providers operate, how they market themselves and why they pose a risk to critical infrastructure operators and other high value targets.

For example, organisations are advised to monitor external hosting used by their systems, review traffic for links to known malicious networks, and prepare for scenarios where attackers may rapidly move their infrastructure to avoid detection or blocking. Agencies have emphasised that defenders need to understand not only the threat actors involved in attacks but also the infrastructure that supports those operations.

For businesses across the UK and allied countries, the message is essentially that tackling ransomware requires action on multiple fronts. The sanctions highlight the growing importance of targeting the support systems that allow cybercriminals to operate, in addition to the groups that directly carry out attacks.

What Does This Mean For Your Business?

The wider picture here seems to point to a general cross border strategic effort to undermine the infrastructure that keeps many of these ransomware operations running. Targeting hosting providers rather than only the criminal groups themselves is a recognition that attackers rely on dependable networks to maintain their activity. Removing or restricting those services is likely to make it much more difficult for them to sustain long running campaigns. It also sends a message that companies which knowingly support malicious activity will face consequences even if they are based outside traditional areas of cooperation.

For UK businesses, the developments highlight how the threat does not start and end with individual ransomware gangs. The services that enable them can be just as important. The new guidance encourages organisations to be more aware of where their systems connect and the types of infrastructure they depend on. This matters for sectors such as finance, health, logistics and manufacturing, where even short disruptions can create operational and financial problems. It also matters for managed service providers and other intermediaries whose networks can be used to reach multiple downstream clients.

There are implications for other stakeholders as well. For example, internet service providers may face increased scrutiny over how they monitor and handle traffic linked to high risk hosting networks. Also, law enforcement agencies will need to continue investing in cross border cooperation as many of these providers operate across multiple jurisdictions. Governments will also need to consider how to balance sanctions with practical disruption of infrastructure, because blocking financial routes is only one part of the challenge.

The situation also highlights that the ransomware landscape is continuing to evolve. Criminal groups have become more adept at shifting infrastructure and creating new companies to avoid disruption. The coordinated action against Media Land and Aeza Group shows that authorities are trying to keep pace with these tactics. How effective this approach becomes will depend on continued cooperation between governments, regulators and industry, along with the willingness to pursue the enablers as actively as the attackers themselves.