Ransomware Gangs use ISPsystem VMs for Stealthy Payload Delivery
Summary:
Ransomware operators and malware developers are increasingly abusing virtual machines (VMs) provisioned through ISPsystem, a legitimate virtualization management platform, to deliver stealthy payloads. Security researchers from Sophos discovered that attackers leverage ISPsystem’s VMmanager to spin up Windows VMs that use identical default hostnames and system identifiers (such as WIN-LIVFRVQFMKO and WIN-344VU98D3RU).
This "turnkey" infrastructure has been linked to high-profile groups including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif. Because these hostnames are common to thousands of legitimate users, malicious traffic effectively blends into the noise of normal internet activity, making it difficult for automated tools to distinguish between a benign server and a criminal command-and-control (C2) hub.
Security Officer Comments:
The primary impact of this tactic is the significant reduction in the cost and complexity of launching global cyberattacks. By using "bulletproof" hosting providers, such as Stark Industries Solutions and MasterRDP, that utilize ISPsystem software, ransomware gangs can rapidly deploy and dismantle infrastructure with minimal technical effort. This creates an "infrastructure-as-a-service" model for cybercrime where malicious nodes are geographically distributed and highly resilient. Because the VM templates reuse static identifiers, traditional attribution becomes blurred; a single hostname might represent thousands of different virtual servers, preventing security teams from simply blocking a specific name to stop an attack. Additionally, these hosting providers often ignore legal takedown requests, ensuring long-term operational persistence for the attackers.
Example Generic Virtual Servers:
For Managed Service Providers (MSPs), this trend represents a heightened risk of "hidden" threats within client environments. Since these malicious VMs mimic legitimate infrastructure, standard DNS or hostname-based filtering may fail to trigger alerts. MSPs must recognize that any inbound connection from a server with these generic ISPsystem hostnames is a high-significance indicator of compromise (IoC).
There is also a reputational and operational risk: if an MSP unknowingly uses a hosting provider that relies on these vulnerable VMmanager configurations, their own management traffic could be flagged as malicious by upstream security vendors, leading to service disruptions or "false positive" blacklisting of legitimate client resources.
Suggested Corrections:
Organizations and MSPs should move beyond simple IP-based blocking and implement more granular behavioral analysis and threat intelligence integration. Specifically, security teams should update their Watchlists and EDR/SIEM rules to flag the specific default hostnames identified by researchers (e.g., WIN-LIVFRVQFMKO, WIN-344VU98D3RU, WIN-J9D866ESIJ2).
Network defenders should audit their traffic for any communication with known "bulletproof" hosting providers associated with this activity, such as Zomro B.V. or Stark Industries.
Finally, it is critical to enforce strict ingress/egress filtering that treats all external virtual infrastructure as untrusted, regardless of whether the hosting platform itself is legitimate.
Link(s):
https://www.sophos.com/en-gb/blog/malicious-use-of-virtual-machine-infrastructure
Ransomware operators and malware developers are increasingly abusing virtual machines (VMs) provisioned through ISPsystem, a legitimate virtualization management platform, to deliver stealthy payloads. Security researchers from Sophos discovered that attackers leverage ISPsystem’s VMmanager to spin up Windows VMs that use identical default hostnames and system identifiers (such as WIN-LIVFRVQFMKO and WIN-344VU98D3RU).
This "turnkey" infrastructure has been linked to high-profile groups including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif. Because these hostnames are common to thousands of legitimate users, malicious traffic effectively blends into the noise of normal internet activity, making it difficult for automated tools to distinguish between a benign server and a criminal command-and-control (C2) hub.
Security Officer Comments:
The primary impact of this tactic is the significant reduction in the cost and complexity of launching global cyberattacks. By using "bulletproof" hosting providers, such as Stark Industries Solutions and MasterRDP, that utilize ISPsystem software, ransomware gangs can rapidly deploy and dismantle infrastructure with minimal technical effort. This creates an "infrastructure-as-a-service" model for cybercrime where malicious nodes are geographically distributed and highly resilient. Because the VM templates reuse static identifiers, traditional attribution becomes blurred; a single hostname might represent thousands of different virtual servers, preventing security teams from simply blocking a specific name to stop an attack. Additionally, these hosting providers often ignore legal takedown requests, ensuring long-term operational persistence for the attackers.
Example Generic Virtual Servers:
- WIN-LIVFRVQFMKO - Windows Server 2019
- LockBit
- Conti
- Qilin
- WantToCry
- BlackCat (ALPHV)
- Conti chat logs
- FortiClient EMS vulnerability exploitation
- Ursnif
- WIN-BS656MOF35Q - Windows Server 2022
- ClickFix, PureRAT, and Lumma stealer campaign
- Cerberus Team malware campaigns
- WIN-344VU98D3RU - Windows Server 2012 R2
- LockBit
- Conti
- Trickbot
- RagnarLocker
- RedLine infostealer
- Lampion infostealer
- WIN-J9D866ESIJ2 - Windows Server 2016
- WantToCry
- NetSupport RAT
For Managed Service Providers (MSPs), this trend represents a heightened risk of "hidden" threats within client environments. Since these malicious VMs mimic legitimate infrastructure, standard DNS or hostname-based filtering may fail to trigger alerts. MSPs must recognize that any inbound connection from a server with these generic ISPsystem hostnames is a high-significance indicator of compromise (IoC).
There is also a reputational and operational risk: if an MSP unknowingly uses a hosting provider that relies on these vulnerable VMmanager configurations, their own management traffic could be flagged as malicious by upstream security vendors, leading to service disruptions or "false positive" blacklisting of legitimate client resources.
Suggested Corrections:
Organizations and MSPs should move beyond simple IP-based blocking and implement more granular behavioral analysis and threat intelligence integration. Specifically, security teams should update their Watchlists and EDR/SIEM rules to flag the specific default hostnames identified by researchers (e.g., WIN-LIVFRVQFMKO, WIN-344VU98D3RU, WIN-J9D866ESIJ2).
Network defenders should audit their traffic for any communication with known "bulletproof" hosting providers associated with this activity, such as Zomro B.V. or Stark Industries.
Finally, it is critical to enforce strict ingress/egress filtering that treats all external virtual infrastructure as untrusted, regardless of whether the hosting platform itself is legitimate.
Link(s):
https://www.sophos.com/en-gb/blog/malicious-use-of-virtual-machine-infrastructure