A major ransomware hosting provider just got hit US with sanctions
Aeza Group's services were being used for ransomware, infostealers, and disinformation
The US Treasury has announced sanctions against Russian bulletproof hosting (BPH) provider Aeza Group for its support for cyber criminals in the US and around the world.
According to US officials, the group has been selling access to specialized servers and other computer infrastructure running ransomware campaigns, infostealer operations, dark web drug markets, and Russian disinformation campaigns.
“Cyber criminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal US technology, and sell black-market drugs,” said Bradley Smith, acting under secretary of the Treasury for terrorism and financial intelligence.
“Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.”
Headquartered in St. Petersburg, Aeza Group has provided its BPH services to ransomware and malware groups including Medusa and Lumma, along with infostealer operators that have used the hosting service to target the US defense industrial base and technology companies.
It has also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian dark web marketplace for illicit drugs.
The sanctions include two affiliated companies - Aeza Logistic and Cloud Solutions - as well as the UK-based front company for Aeza Group, Aeza International Limited.
Sanctions hit individuals linked to Aeza Group
The sanctions also apply to four key personnel: Arsenii Aleksandrovich Penzev, Yurii Meruzhanovich Bozoyan, Vladimir Vyacheslavovich Gast, and Igor Anatolyevich Knyazev.
All property and interests in property of the four in the US, or in the possession or control of US persons, are blocked and must be reported to the Office of Foreign Assets Control (OFAC).
Meanwhile, any entities that are owned 50% or more by one or more blocked persons are also blocked.
Ronen Ahdut, head of Cyops at Cynet, said the sanctions imposed on the hosting service mark a “strategic shift in cyber crime disruption” and could play a crucial role in disrupting ransomware operations.
"Bulletproof hosts like Aeza offer anonymous, no-logs servers paid via crypto, making them ideal for persistent malicious activity,” Ahdut said.
However, he warned that network-based indicators of compromise (IOCs) such as IPs and domains are highly dynamic and often short-lived, making traditional defenses insufficient in the long term.
"While this takedown is a tactical win, it’s only a temporary disruption in a vast, decentralized ecosystem where threat actors quickly adapt," he said.
Earlier this year, international authorities announced that they'd taken down another BPH service, Zservers, which they said had been playing a critical role in the infrastructure of major cyber criminal groups such as LockBit and BlackCat.
Based in the small Russian town of Barnaul in Western Siberia, the organization was said to have been in operation since 2011, offering a variety of illicit hosting services for brute-forcing and vulnerability scanning on cyber crime forums.
MORE FROM ITPRO
-
Microsoft CEO Satya Nadella wants an end to the term ‘AI slop’ in 2026News Microsoft CEO Satya Nadella might want the term "AI slop" shelved in 2026, but businesses will still be dealing with increasing output problems and poor returns.
-
New security features are coming to Microsoft Teams this monthNews From 12 January, weaponizable file type protection, malicious URL detection, and a system for reporting false positives will all be automatically activated.
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
