US charges three Russians behind 'bulletproof' hosting service used by LockBit and Play ransomware

Federal prosecutors say Media Land and ML.Cloud rented servers to ransomware crews that caused more than $62 million in damage across 21 US states.

ThreatVectr Newsdesk· 4 min read
Full-frame edge-to-edge photoreal news-editorial image of a dimly lit server room with rows of humming rack-mounted servers, cold blue LEDs, tangled ethernet ca
Share

Key points

  • US federal prosecutors on 14 July 2026 unsealed charges against three Russian nationals accused of running Media Land and ML.Cloud, hosting services used by ransomware gangs.
  • Prosecutors link the two services to more than $62 million in damages to victims in 21 US states, including hospitals, schools and banks.
  • The State Department is offering up to $10 million for information on foreign government links to the operators or the companies.
  • The US, UK and Australia sanctioned the three defendants in November 2025; the EU added its own sanctions this week alongside the UK.
  • Named customers of the hosting operation include the LockBit, BlackSuit and Play ransomware gangs.

Three Russian men have been charged in the United States with running a hosting business that rented servers to some of the world's most damaging ransomware gangs.

Ransomware is malicious software that locks a company's files until it pays the criminals to unlock them. The gangs behind it need somewhere to run their attack servers, and that is what the accused men are alleged to have sold.

The indictment, unsealed on 14 July 2026 and first reported by BleepingComputer, names Aleksandr Volosovik, who went by "Yalishanda" on criminal forums, as the owner of Media Land. Yulia Pankova is accused of owning the sister service ML.Cloud and handling legal and financial paperwork. Kirill Zatolokin allegedly collected customer payments.

What is "bulletproof" hosting?

It is hosting sold to criminals on the promise that the provider will ignore complaints and shrug off police takedown requests.

A normal web host will pull a server offline when it gets an abuse report. A bulletproof host does not. That is the whole product. Prosecutors say Media Land and ML.Cloud advertised exactly this service, and rented out infrastructure not only in Russia but in China, Finland, the Netherlands and the United States.

The servers were used for the usual criminal menu: delivering malware, running the control panels that ransomware gangs use to manage infections, hosting phishing pages (fake login screens designed to steal passwords), and running distributed denial-of-service attacks, which flood a target with junk traffic until it falls over.

Who got hurt?

US Attorney David M. Toepfer said victims sat in Ohio and 20 other states, and included banks, schools, government offices, hospitals and media companies.

The Treasury's Office of Foreign Assets Control said in November that Media Land's servers were used to launch denial-of-service attacks against US telecoms and other critical infrastructure. The named ransomware customers are a rogues' gallery of the last three years: LockBit, BlackSuit and Play. Between them they have hit hospitals, city governments and Fortune 500 firms.

Total damage tied to the hosting operation, according to the indictment, tops $62 million.

What are governments doing about it?

The three men and both companies were already under sanctions from the US, UK and Australia as of November 2025. This week the Council of the European Union added its own sanctions against Media Land, ML.Cloud and Volosovik, in what Brussels called the first joint cyber sanctions package issued with the UK against Russia.

The US State Department has gone further. Through its Rewards for Justice programme it is offering up to $10 million for information on any foreign government links to the three men, their activities, or the two companies. That wording matters. It signals that Washington suspects, or wants to test, ties between the hosting business and the Russian state.

None of the three defendants is in US custody. All are believed to be in Russia, which does not extradite its nationals.

What should businesses take from this?

Sanctions and indictments do not, by themselves, unplug a server rack in Saint Petersburg. But they raise the cost of doing business with the accused: any Western firm found paying a ransom that ends up flowing to sanctioned entities risks its own penalties.

Organisations that suspect they were hit by LockBit, BlackSuit or Play in the last two years should preserve their incident logs. The Justice Department is actively building cases, and victim data is how those cases stand up in court.

© 2026 Threat Vectr