Article

Internal leaks since February 2025 disclosed communications from the BlackBasta ransomware group and infrastructure of Yalishanda, a Russian bulletproof hosting provider. Yalishanda hosted approximately 200 servers for BlackBasta with bandwidth between 17-20 Gbps.

Real identities revealed include Kirill Zatolokin and Aleksandr Volosovik, both sanctioned by the US Treasury on November 19, 2025, along with Data Center Kirishi. BlackBasta outsourced command and control, data exfiltration, and payment portals to Yalishanda, which ignored abuse complaints and offered VIP 'private data center' services.

Zatolokin managed operations via Telegram, calculating bandwidth and recommending scaling. A member of the REvil group also utilized Yalishanda, highlighting a layered ecosystem where ransomware focuses on encryption while outsourcing technical infrastructure.

Sanctions from OFAC, Australia, and the UK contributed to Yalishanda's downfall, emphasizing vulnerabilities in centralized bulletproof hosting. Ransomware groups must diversify hosting; organizations should monitor IOCs from Media Land and suspicious traffic patterns.