Authorities sanction Russia-based hosting provider for ransomware support

The U.S., U.K., and Australia imposed coordinated sanctions on Media Land, a Russia-based hosting company accused of supplying infrastructure to ransomware groups, according to Cyber Security News.

What happened

Media Land, a hosting provider based in St. Petersburg, Russia, was sanctioned on November 21, 2025, by the U.S. Department of the Treasury, the United Kingdom, and Australia. Authorities say the company supplied bulletproof hosting services to ransomware operations, including LockBit, BlackSuit, and Play. The action also targeted company leadership, affiliated entities, and infrastructure tied to criminal activity.

Going deeper

Investigators describe Media Land as a hosting provider that catered to cybercriminal groups by offering servers and networks designed to obscure malicious activity. Bulletproof hosting environments are engineered to resist law enforcement takedowns, making them attractive to ransomware gangs and threat actors who need persistent infrastructure for attacks.

Authorities allege that Media Land supported distributed denial of service attacks, ransomware deployment, and other operations that targeted businesses and infrastructure. The company’s leadership allegedly managed payments, advertised on criminal forums, coordinated with threat actors, and handled legal and financial arrangements for the operation.

Sanctions extended to Hypercore Ltd., a U.K. entity linked to the Aeza Group. Aeza reportedly attempted to rebrand following earlier sanctions, and additional individuals and companies in Serbia and Uzbekistan were designated for allegedly helping the network continue operating.

What was said

The Treasury Department stated that U.S. persons and businesses are now prohibited from conducting transactions with Media Land or any designated individuals or entities connected to the operation. All property and assets under U.S. jurisdiction belonging to sanctioned parties have been frozen.

Authorities stated that the coordinated measures reflect a shared effort to disrupt criminal infrastructure and reduce the availability of services that enable ransomware campaigns. Guidance from the Cybersecurity and Infrastructure Security Agency advised organizations to strengthen monitoring and defensive controls to identify infrastructure associated with bulletproof hosting providers.

The big picture

Ransomware groups rely heavily on stable infrastructure to operate, and bulletproof hosting providers have become enablers. According to the 2025 Europol Internet Organised Crime Threat Assessment, law enforcement agencies across Europe observed continued use of offshore hosting networks that shield criminal activity from disruption. The report notes that these services are often operated in jurisdictions where cooperation with international investigations is limited.

FAQs

What is a bulletproof hosting provider?

It is a hosting service that allows customers to store content or run operations with minimal risk of takedown. These providers intentionally overlook abuse reports or operate in jurisdictions where enforcement is limited.

Why do ransomware groups rely on these services?

Ransomware operators need stable and anonymous servers to manage payment portals, leak sites, and command infrastructure. Bulletproof hosting gives them predictable uptime and reduces the risk of losing access during law enforcement actions.

How do international sanctions affect cybercriminal infrastructure?

Sanctions restrict financial transactions, freeze assets, and block access to legitimate services. They also pressure intermediaries like registrars, hosting providers, and payment processors to deny support to sanctioned parties.

What is the risk for businesses that unknowingly interact with sanctioned entities?

Organizations that route payments or services through sanctioned companies may face regulatory penalties. Financial institutions are specifically required to monitor and block transactions involving designated parties.

How do investigators identify bulletproof hosting networks?

Analysts review traffic patterns, historical abuse reports, domain registrations, and associations with known threat actors. Infrastructure clusters that repeatedly appear in ransomware campaigns or phishing operations are often flagged for investigation.