Ransomware operators are increasingly exploiting legitimate virtual infrastructure management platforms to host and deliver malicious payloads at scale, effectively hiding their command-and-control infrastructure among thousands of innocuous systems.
The Discovery
Researchers at cybersecurity firm Sophos uncovered this concerning trend while investigating recent WantToCry ransomware incidents. They discovered that attackers were using Windows virtual machines with identical hostnames—a telltale sign of default templates generated by ISPsystem’s VMmanager platform.
ISPsystem is a legitimate software company that develops control panels for hosting providers, used for managing virtual servers and OS maintenance. VMmanager is their virtualization management platform used to provision Windows or Linux VMs for customers.
Widespread Abuse Across Threat Actors
The investigation revealed that the same suspicious hostnames appeared in infrastructure used by multiple major ransomware operations and malware campaigns, including:
- LockBit
- Qilin
- Conti
- BlackCat/ALPHV
- Ursnif
- RedLine info-stealer
- Lumma info-stealer
How the Abuse Works
Sophos discovered that VMmanager’s default Windows templates reuse the same hostname and system identifiers every time they are deployed. Bulletproof hosting providers—those that knowingly support cybercrime operations and ignore takedown requests—take advantage of this design weakness.
These providers allow malicious actors to rapidly spin up VMs via VMmanager, which are then used for command-and-control (C2) servers and payload-delivery infrastructure. The key advantage: malicious systems become nearly indistinguishable from legitimate ones, complicating attribution and making quick takedowns unlikely.
The Enabling Infrastructure
The majority of malicious VMs were hosted by providers with known bad reputations or sanctions, including:
- Stark Industries Solutions Ltd.
- Zomro B.V.
- First Server Limited
- Partner Hosting LTD
- JSC IOT
Sophos also identified a provider called MasterRDP with direct control of physical infrastructure, using VMmanager for evasion while offering VPS and RDP services that deliberately do not comply with legal requests.
Telltale Indicators
According to Sophos, four specific ISPsystem hostnames account for over 95% of all internet-facing ISPsystem virtual machines:
- WIN-LIVFRVQFMKO
- WIN-344VU98D3RU
- WIN-J9D866ESIJ2
All of these were present in customer detection or telemetry data linked to cybercriminal activity.
Vendor Response
Following the disclosure, ISPsystem acknowledged the issue and released an update that randomizes hostname assignment for new virtual machines:
“We thank Sophos CTU for their research. As the developers of VMmanager, we understand that the very qualities that make our platform effective for business—simplicity and speed of deployment—can be misused. We have already released an update for the Windows templates: now, each time a new virtual machine is deployed, its name is generated randomly. This eliminates the possibility of technical identifier overlap and addresses the specific risk highlighted in the report.” — ISPsystem team
Defensive Recommendations
- Security teams should consider adding the identified hostname patterns to their threat hunting queries
- Network defenders can use these indicators to identify potentially suspicious infrastructure in their environments
- Organizations should monitor for connections to known bulletproof hosting providers
- Consider implementing blocklists for the identified malicious hosting providers
Source: BleepingComputer | Sophos Research
