Ransomware Gang's Malicious Use Of ISPsystem's VM Infrastructure

In recent months, cybersecurity researchers have uncovered a troubling trend in the ransomware threat landscape: cybercriminals are increasingly abusing legitimate virtual machine infrastructure to conceal their operations, deliver malicious payloads, and prolong their operations while avoiding detection and takedown efforts. This shift in tactics leverages widely used virtualization tools in unexpected ways, blurring the line between legitimate cloud services and criminal infrastructure.

At the center of the issue lies ISPsystem's VMmanager, a commercial virtualization management platform that hosting providers use to provision and manage virtual servers. These virtual machines can run Windows or Linux instances for customers, offering low cost and easy deployment.

The platform's design, particularly its use of static, widely reused Windows templates with identical hostnames and system identifiers, has inadvertently created a strong lure for ransomware gangs and malware operators. Because the default templates do not randomize key identifiers, tens of thousands of machines deployed through this system appear nearly identical on the internet. This uniformity provides a cloak of legitimacy that attackers have begun to exploit at scale.

Researchers from the Sophos Counter Threat Unit (CTU) first observed this phenomenon while investigating several ransomware incidents involving the WantToCry ransomware gang. These analyses revealed that attackers were not just using custom infrastructure or compromised servers; they were also renting or provisioning virtual machines through ISPsystem's platform.

These machines posed a significant detection challenge, due to their static default naming patterns, which made it difficult to distinguish them from one another or from benign customer VMs. The implication is significant because defenders and automated detection tools face greater difficulty isolating malicious activity when the infrastructure appears legitimate on the surface.

Sophos' research highlighted that multiple ransomware operations, including LockBit, Agenda, ALPHV, and various supplementary tool sets like RedLine and Ursnif, were observed across several of the most prevalent static hostnames. These machines proliferated across different hosting providers, allowing attackers to conceal their command-and-control servers and payload distribution points among thousands of innocuous-looking hosts.

A deeper look into the infrastructure revealed much concerning the attacks. While each individual VM instance registered on the internet appears unique from an IP and hosting perspective, the underlying template and naming pattern link many such instances together.

According to Sophos' analysis, a handful of static hostnames, such as WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO, accounted for the majority of these internet-facing ISPsystem virtual machines. In some cases, Shodan, a search engine for internet-connected devices, identified thousands of live hosts sharing these exact hostnames, with the most prevalent names linked to both ransomware operations and other financially motivated attack campaigns.

Attribution Challenges

An ongoing challenge in attribution stems from this shared infrastructure. On the surface, defenders and researchers might conclude that related activity originates from a single threat actor. In reality, many different criminal groups have rented or deployed these identical VM images through bulletproof hosting providers that tolerate or ignore abuse complaints.

These bulletproof hosts, hosting providers with reputations for lack of responsiveness to abuse reports, rent out virtual machines without rigorous oversight, allowing malicious actors to use them as launchpads for ransomware activities.

The use of such infrastructure offers several tactical advantages to attackers. First, provisioning virtual machines through legitimate platforms like ISPsystem's VMmanager allows them to bypass some of the heuristics security teams rely on to flag malicious infrastructure.

Traditional blocklists and detection systems often focus on known malicious IPs or domains; when ransomware operates on machines that appear to be regular customer VMs, defenders must rely on behavioral analytics and deeper traffic inspection to detect anomalies. Second, by spreading operations across many identical but distinct VMs, attackers avoid single points of failure. If one VM is taken down or blacklisted, others continue to operate, enabling ongoing command-and-control and payload delivery.

One striking detail in the Sophos findings was the geographic dispersion of these VM hosts. While many were located in Russia and other Commonwealth of Independent States (CIS) countries, instances also appeared in the European, North American, and Middle Eastern IP spaces. This broad footprint makes global takedown efforts more complex and underlines how the internet's decentralized architecture benefits malicious actors when they employ widely distributed infrastructure.

A subsequent BleepingComputer article confirms that the majority of malicious VMs were hosted by a small cluster of providers with poor reputations or who have even faced sanctions. Some names that appeared frequently in monitoring data include Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT, companies previously associated with tolerating criminal activity or ignoring takedown requests.

Another provider, MasterRDP, operates under the brand "rdp.monster" and is notable for claiming direct control over the physical infrastructure behind its hosted virtual machines. These services often offer virtual private servers (VPS) and remote desktop protocol (RDP) access without complying with legal requests or responding to abuse reports, making them appealing to attackers seeking long-running, hard-to-disrupt platforms.

The convergence of legitimate and malicious use of virtual machines illustrates a broader tension within the modern cloud-enabled threat landscape. Virtualization has long been a cornerstone of scalable computing, allowing businesses to quickly deploy and manage resources cost-effectively.

However, that same ease of deployment and low barrier to entry, dubbed "turnkey deployment" by analysts, also makes these platforms ripe for abuse. Attackers do not need to invest in bespoke infrastructure or maintain complex hosting arrangements; they can spin up Windows VMs with minimal cost and rapidly integrate them into their ransomware infrastructure.

In response to these findings, there is evidence that ISPsystem has taken initial steps toward mitigation. A post-publication statement from ISPsystem confirmed that an update had been released to randomize hostname assignment for Windows templates, eliminating one of the key identifiers that attackers could use to cluster unrelated instances. While this does not eliminate the potential for abuse entirely, it reduces one clear mechanism by which malicious virtual machines were previously being identified and linked at scale.

The statement issued by ISPsystem read as follows:

We thank Sophos CTU for their research. As the developers of VMmanager, we understand that the very qualities that make our platform effective for business—simplicity and speed of deployment—can be misused. We have already released an update for the Windows templates: now, each time a new virtual machine is deployed, its name is generated randomly. This eliminates the possibility of technical identifier overlap and addresses the specific risk highlighted in the report. We value the experts' contribution to security and are ready to help build a secure environment together.