Skip to content
Ransomware group

SugarLocker

SugarLocker is a Russian ransomware gang associated with the Shtazi-IT criminal operation and linked to the development and sale of ransomware tooling.

Profile source: Mallory opens in a new tab

SugarLocker

Family profile

SugarLocker is a Russian ransomware gang associated with the Shtazi-IT criminal operation and linked to the development and sale of ransomware tooling. Russian authorities publicly identified and arrested alleged members of the group in 2026, making it one of the relatively uncommon examples of domestic ransomware enforcement action in Russia.

The group has been tied to malware development, ransomware deployment, and extortion activity against commercial organizations. Reporting connects SugarLocker to a developer ecosystem in which ransomware code and supporting infrastructure were marketed or sold, including a control panel for managing infections and payments. The operation has also been associated with recruitment and developer advertisements under the Shtazi-IT name.

Known individuals linked in reporting to the broader SugarLocker/Shtazi-IT operation include Aleksandr Ermakov and Mikhail Lenin. Ermakov was reportedly convicted in Russia under the country’s malware statute for co-writing SugarLocker and selling it, while Lenin was reportedly subjected to compulsory medical measures. The operation has also been discussed in connection with aliases such as SHTAZI and shtaziIT, and with handles attributed in some reporting to Ermakov, though attribution of individual online personas should be treated cautiously unless independently corroborated.

SugarLocker is best understood as a financially motivated Russian cybercriminal enterprise rather than a publicly established state-directed intrusion set. Its activity fits the ransomware model of encrypting victim data and demanding payment for restoration, while also reflecting the broader Russian-language cybercrime ecosystem in which malware authors, operators, and affiliates may overlap with forum-based development and sales communities.

Ransomware.live

Operational record

View group record ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.