Ransomware operators are hosting and delivering malicious payloads at scale by abusing virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider.

Researchers at cybersecurity company Sophos observed the tactic while investigating recent ‘WantToCry’ ransomware incidents. They found the attackers used Windows VMs with identical hostnames, suggesting default templates generated by ISPsystem’s VMmanager.

Diving deeper, the researchers discovered that the same hostnames were present in the infrastructure of multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers.

ISPsystem is a legitimate software company that develops control panels for hosting providers, used for the management of virtual servers, OS maintenance, etc. VMmanager is the company’s virtualization management platform used to spin up Windows or Linux VMs for customers.

Sophos found that VMmanager’s default Windows templates reuse the same hostname and system identifiers every time they are deployed.

Bulletproof hosting providers that knowingly support cybercrime operations and ignore takedown requests take advantage of this design weakness. They allow malicious actors to spin up VMs via VMmanager, used for command-and-control (C2) and payload-delivery infrastructure.

This essentially hides malicious systems among thousands of innocuous ones, complicates attribution, and makes quick takedowns unlikely.

The majority of the malicious VMs were hosted by a small cluster of providers with a bad reputation or sanctions, including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT.

Sophos has also discovered a provider with direct control of physical infrastructure named MasterRDP, which uses VMmanager for evasion and offers VPS and RDP services that do not comply with legal requests.

According to Sophos, four of the most prevalent ISPsystem hotnames “account for over 95% of the total number of internet-facing ISPsystem virtual machines:”

• WIN-LIVFRVQFMKO
• WIN-LIVFRVQFMKO
• WIN-344VU98D3RU
• WIN-J9D866ESIJ2

All of them were present either in customer detection or telemetry data linked to cybercriminal activity.

The researchers note that while ISPsystem VMmanager is a legitimate platform for virtualization management, it is also attractive to cybercriminals due to “its low cost, low barrier to entry, and turnkey deployment capabilities.”

BleepingComputer has contacted ISPsystem to ask if they are aware of the large-scale abuse of VM templates and their plans to address the issue, but a statement wasn’t available by publishing time.

Update 2/6 – A spokesperson of ISPsystem sent BleepingComputer the following statement, which confirms they have added randomization in hostname assignment:

“We thank Sophos CTU for their research. As the developers of VMmanager, we understand that the very qualities that make our platform effective for business—simplicity and speed of deployment—can be misused. We have already released an update for the Windows templates: now, each time a new virtual machine is deployed, its name is generated randomly. This eliminates the possibility of technical identifier overlap and addresses the specific risk highlighted in the report. We value the experts’ contribution to security and are ready to help build a secure environment together.” – ISPsystem team