On 19 November 2025, the United States, the United Kingdom and Australia announced sanctions on a Russia-based internet hosting firm, Media Land, and several affiliated entities, citing their role in supporting ransomware operations. The move targets so-called “bulletproof hosting” services that allegedly enable cybercriminals to launch attacks against businesses and institutions in allied countries. The coordinated action reflects growing concern among Western nations about the infrastructure that underpins large-scale cybercrime.
According to the US Treasury’s Office of Foreign Assets Control, the sanctions cover Media Land, three of its executives and three sister companies. The UK mirrored the move by adding Aeza Group LLC and ML. Cloud LLC, both tied to the same network, to its sanctions list. As part of the UK measures, asset freezes and travel bans were imposed on four individuals, and British companies were barred from providing internet or trust services to one of the implicated entities. Australia said it would adopt aligned measures and emphasised the need to disrupt ransomware networks affecting public institutions such as hospitals and schools.
The US statement described Media Land and its affiliates as “bulletproof hosting service providers” that supply essential infrastructure for cybercriminal groups. These services cloud the origin of attacks by allowing malicious actors to host or route operations through jurisdictions with limited enforcement. By targeting the infrastructure layer rather than individual hackers, the three governments aim to reduce the ability of organised criminal groups to launch ransomware, distributed denial-of-service or phishing campaigns at scale.
The sanctions are significant because they highlight how cybercrime has evolved from opportunistic attacks to infrastructure-based operations. Hosting firms that specialise in “bulletproof” services provide clients with high tolerance for malicious content, weak controls and high resilience to takedown efforts. Such providers are increasingly viewed as enablers of ransomware-as-a-service ecosystems, with affiliates relying on their networks to distribute malware and extort victims. By cutting off these services, governments hope to disrupt the business model behind many recent high-impact intrusions.
Analysts say the decision also underscores the value of international coordination in cyber enforcement. The combination of US financial sanctions, UK cyber designations, and Australia’s alignment demonstrates how countries are pooling tools to target entities based outside their own jurisdictions. These forms of sanctions include blocking access to international finance, immobilising assets and restricting business relationships, which in some cases may be more disruptive than criminal prosecutions. The cross-border nature of cybercrime makes such cooperation increasingly vital.
The sanctions may also have ripple effects across supply chains and service providers. Entities that unknowingly rely on hosting services linked to the sanctioned firms may face compliance risk or disruption when their providers are cut off from international networks. Businesses should review their vendor relationships and ensure hosting or cloud services do not route through providers with known links to illicit cyber activity. Institutions in critical sectors such as healthcare, education or manufacturing may face heightened exposure if they fail to verify the origin of their network infrastructure.
The listing of Media Land and its sister companies marks a milestone in the fight against infrastructure-driven cybercrime. Until now, enforcement has often focused on attacking individual threat actors or malware campaigns after they happen. The new approach targets the “enabler” layer, the hosting and network services that criminal enterprises exploit to stay operational. By removing the service platform, the theory is that attackers will face higher costs, more exposure and greater risk of detection.
The three governments stated that they will continue monitoring the effectiveness of the action and will take further steps as needed. They cited recent ransomware attacks on schools, hospitals and businesses as evidence that the infrastructure enabling these campaigns must be disrupted. Observers say that future efforts are likely to include similar designations, broadened cooperation among international law enforcement agencies and more granular scrutiny of hosting providers, domain registrars and cloud platforms.
The sanctions represent a significant shift in cyber law enforcement. Rather than just following the money after attacks, governments are now going after the infrastructure that enables attacks before they occur. Businesses and service providers are being reminded that their network dependencies and vendor relationships can carry cybersecurity risk. The move draws attention to the importance of transparency, oversight and resilience in internet infrastructure.