SugarLocker is a Russian ransomware gang associated with the Shtazi-IT criminal operation and linked to the development and sale of ransomware tooling. Russian authorities publicly identified and arrested alleged members of the group in 2026, making it one of the relatively uncommon examples of domestic ransomware enforcement action in Russia. The group has been tied to malware development, ransomware deployment, and extortion activity against commercial organizations. Reporting connects SugarLocker to a developer ecosystem in which ransomware code and supporting infrastructure were marketed or sold, including a control panel for managing infections and payments. The operation has also been associated with recruitment and developer advertisements under the Shtazi-IT name. Known individuals linked in reporting to the broader SugarLocker/Shtazi-IT operation include Aleksandr Ermakov and Mikhail Lenin. Ermakov was reportedly convicted in Russia under the country’s malware statute for co-writing SugarLocker and selling it, while Lenin was reportedly subjected to compulsory medical measures. The operation has also been discussed in connection with aliases such as SHTAZI and shtaziIT, and with handles attributed in some reporting to Ermakov, though attribution of individual online personas should be treated cautiously unless independently corroborated. SugarLocker is best understood as a financially motivated Russian cybercriminal enterprise rather than a publicly established state-directed intrusion set. Its activity fits the ransomware model of encrypting victim data and demanding payment for restoration, while also reflecting the broader Russian-language cybercrime ecosystem in which malware authors, operators, and affiliates may overlap with forum-based development and sales communities.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Attributed origin per open-source reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named ransomware crew linked in the article to Shtazi-IT and to Ermakov through forum handles and Russian criminal case material about co-writing and selling SugarLocker.
Local ransomware gang whose alleged members were arrested and prosecuted in Russia.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.