The U.S. Treasury Department’s sanctioning earlier this month of Aeza Group, a Russia-based bulletproof hosting (BPH) service provider, is the latest step by federal agencies in the United States and other countries to dismantle the vast underworld ecosystem that threat groups leverage to run their ransomware and other cybercriminal campaigns.

BPH service providers play a key role, giving bad actors access to the infrastructure to host their malicious activities – from ransomware and phishing to disseminating malware and running command-and-control (C2) servers – while avoiding law enforcement. The service providers ignore reports of abuse and refuse requests from law enforcement to take down illegal cyber campaigns running on their infrastructure.

“Cybercriminals do not operate as lone wolves,” researchers with Intel471 wrote last year. “One of the most significant developments over the last two decades is how cybercriminals have developed services and products that are sold to other cybercriminals. This development, known as cybercrime-as-as-service, has lowered the entry barrier into cybercrime, enabled threat actors to specialize and allowed internet-based crime to flourish at scale.”

Malware doesn’t need to be coded because hackers can buy it in underground markets, then distribute by botnet operators to victims selected via bought database dumps with email addresses collected by other bad actors that trade and sell the breached information, the researchers added.

“But spam has to be sent from somewhere, and malware has to be hosted somewhere on the internet,” they wrote. “This is where we arrive at the most fundamental infrastructure requirement for cybercrime: connectivity. Actors can’t commit crimes on the internet if they don’t have access to it. … [BPH] is sought after by malicious hackers, spammers, malware distributors and botnet operators. BPH allows cybercriminals to conduct certain types of activity with a low risk of being shut down, or at least a guarantee of a period of time when harmful activity can be carried out before it’s shut down.”

Infrastructure Services for Ransomware, Phishing

That was Aeza Group’s role, according to the Treasury Department’s Office of Foreign Assets Control (OFAC). The operation, based in St. Petersburg, Russia, provided BPH services to ransomware and malware groups that included operators behind Meduza and Lumma infostealer campaigns that used them to target organizations in the U.S. defense industrial base and technology companies, as well as other businesses around the world. Aeza Group also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russia-based underground marketplace for illicit drugs, where narcotics can be sold and shipped via the internet. That includes chemical and equipment for synthesizing fentanyl and similar synthetic opioids.

Reports also indicated that Aeza Group’s infrastructure was used by the operators of Doppelganger, a Russian influence operation, and Void Rabisu, a Russian linked to the RomCom remote access trojan (RAT).

Affiliates and Crypto Wallet Also Sanctioned

Blockchain analysis firm Chainalysis noted that the sanctions also include Aeza Group’s affiliates, including Aeza International Ltd., its UK branch, and Aeza Logistic LL and Cloud Solutions LLC, both of which are Aeza Group subsidiaries. The designation also touches one TRON cryptocurrency address.

Chainalysis researchers said Aeza Group use a payment processor to receive payments taken in from its hosting services, which made tracing the customer deposits more difficult. The address “appears to function as an administrative wallet, handling cash-outs from the payment processor, forwarding funds to various exchanges, and occasionally receiving direct payments for Aeza’s services,” they wrote.

The crypto addressed received more than $350,000 in crypto and cashed out at different deposit addresses at various exchanges.

“Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” Bradley Smith, acting undersecretary of the Treasury for terrorism and financial intelligence, said in a statement. “Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.”

Four Executives Also Targeted

The Treasury Department in February, along with agencies from Australia and the UK, sanctioned another Russia-based BPH provider, Zservers, for delivering services – including specialized servers resistant to law enforcement actions – to affiliates using the LockBit ransomware that used them to launch and run attacks. The countries also sanctioned two Russian operators linked to Zservers.

Similarly, Treasury also is sanctioning four of the company’s leaders, including CEO Arsenii Aleksandrovich Penzev, General Director Yurii Meruzhanovich Bozoyan and Igor Anatolyevich Knyazev. All three each own 33% of Aeza Group. The fourth person is Technical Director Vladimir Vyacheslavovich Gast, who manages its internal network and oversaw the addition of BlackSprut on the infrastructure.

Both Penzev and Bozoyan, along with two other people involved with Aezan Group, were arrested in April by Russian authorities and accused of running a criminal organization and enabling drug trafficking via BlackSprut.