Full Report
‘Bulletproof’ hosts partly dodged the last attack of this sort Cybercrime fighters in the US, UK, and Australia have imposed sanctions on several Russia-linked entities they claim provide hosting services to ransomware gangs Lockbit, BlackSuit, and Play.…
Analysis Summary
# Threat Actor: Media Land (Hosting Provider)
## Attribution & Identity
**Actor Identification:** Russia-linked entity providing hosting services to ransomware gangs.
**Associated Groups:** Lockbit, BlackSuit, and Play (ransomware gangs).
**Aliases:** The entity is explicitly named **“Media Land.”** Mentioned in the context of previous sanctioned providers like Zservers and Aeza Group. Individuals sanctioned alongside Media Land include Aleksandr Volosovik (alleged general director) and Yulia Pankova (alleged legal/financial assistant).
## Activity Summary
Media Land is sanctioned by the US, UK, and Australia for allegedly providing critical hosting infrastructure to major ransomware operations (Lockbit, BlackSuit, Play). Their services facilitated the operational needs of these criminal enterprises. The action is framed as the third strike this year against "bulletproof" Russian crimeware hosts.
## Tactics, Techniques & Procedures
- Providing specialized hosting services enabling cybercrime.
- Facilitating Distributed Denial-of-Service (DDoS) attacks against U.S. victim companies and critical infrastructure.
- Hosting infrastructure used for malware infections.
- Hosting infrastructure used for scams.
- Enabling phishing attacks.
- **Note:** Specific MITRE ATT&CK IDs are not mentioned in the provided text.
## Targeting
**Sectors:** Critical infrastructure (mentioned regarding DDoS attacks); general victim companies.
**Geography:** Targeting U.S. victim companies (DDoS victims). The host itself is Russia-linked, and the sanctions target its international facilitation of crime.
**Victims:** U.S. victim companies facing DDoS attacks.
## Tools & Infrastructure
- **Malware Families Used (By associated actors, hosted by Media Land):** Ransomware (implied, via Lockbit, BlackSuit, Play), general malware infections.
- **Infrastructure (C2, domains, IPs - defang URLs):** Hosting services provided by Media Land. The article mentions a similar tactic where the previously sanctioned Aeza Group attempted to evade sanctions by moving IP infrastructure to a UK-based entity called **Hypercore Ltd**, which has also now been sanctioned.
## Implications
The sanctions aim to disrupt the supply chain supporting major ransomware operations by targeting the "bulletproof" hosting providers they rely on. This suggests a strategic shift by international law enforcement to dismantle the logistical support structure of ransomware gangs, rather than just focusing on the gangs themselves. However, the article notes that previous targets (like Aeza) have shown adaptability by rebranding and shifting infrastructure (e.g., to Hypercore Ltd) to evade such actions, suggesting a persistent cat-and-mouse game.
## Mitigations
- Financial and direct engagement with Media Land and associated sanctioned entities by citizens and banks of the sanctioning nations is forbidden.
- Continued international coordination (US, UK, Australia) to track and sanction supply chain enablers (hosting providers).
- Vigilance against service rebranding attempts by previously sanctioned entities (e.g., Aeza moving to Hypercore Ltd).