BlackBasta Ransomware Exposed Through Yalishanda Hosting Infrastructure Leak
Internal leaks have revealed that the BlackBasta ransomware group relied on Yalishanda, a Russian bulletproof hosting provider, which hosted around 200 servers for the group. The leaks exposed the identities of key operatives, including Kirill Zatolokin and Aleksandr Volosovik, both sanctioned by the US Treasury. The situation underscores the vulnerabilities of centralized bulletproof hosting and the need for ransomware groups to diversify their infrastructure.
Theia Market Signal Identification - AI Assisted
Internal leaks since February 2025 disclosed communications from the BlackBasta ransomware group and infrastructure of Yalishanda, a Russian bulletproof hosting provider. Yalishanda hosted approximately 200 servers for BlackBasta with bandwidth between 17-20 Gbps.
Real identities revealed include Kirill Zatolokin and Aleksandr Volosovik, both sanctioned by the US Treasury on November 19, 2025, along with Data Center Kirishi. BlackBasta outsourced command and control, data exfiltration, and payment portals to Yalishanda, which ignored abuse complaints and offered VIP 'private data center' services.
Zatolokin managed operations via Telegram, calculating bandwidth and recommending scaling. A member of the REvil group also utilized Yalishanda, highlighting a layered ecosystem where ransomware focuses on encryption while outsourcing technical infrastructure.
Sanctions from OFAC, Australia, and the UK contributed to Yalishanda's downfall, emphasizing vulnerabilities in centralized bulletproof hosting. Ransomware groups must diversify hosting; organizations should monitor IOCs from Media Land and suspicious traffic patterns.
Comments