Ransomware gang uses ISPsystem VMs for stealthy payload delivery

Ransomware Gangs Hijack Legitimate Virtual Infrastructure to Deliver Stealthy Payloads at Scale

In a sophisticated twist on cybercrime infrastructure, ransomware operators are exploiting legitimate virtual machine management platforms to host and distribute malicious payloads, creating a digital camouflage that blends criminal activity with thousands of legitimate systems.

Sophos researchers, while investigating recent ‘WantToCry’ ransomware incidents, uncovered a disturbing trend: attackers are leveraging Windows virtual machines provisioned through ISPsystem’s VMmanager platform, a legitimate virtualization management solution used by hosting providers worldwide.

The investigation revealed a pattern of identical hostnames across multiple ransomware operations. These weren’t random choices—they were the default identifiers generated by ISPsystem’s VMmanager templates, suggesting a systematic exploitation of the platform’s design.

What makes this particularly alarming is the scale and diversity of operations using this technique. Beyond WantToCry, the same infrastructure patterns appeared in campaigns from major ransomware groups including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as malware operations distributing RedLine and Lummar info-stealers.

The geographic distribution of these compromised systems spans multiple countries, creating a truly global threat landscape. Researchers mapped the locations and found infected devices scattered across different regions, making traditional takedown efforts exponentially more complex.

ISPsystem, the Ukrainian company behind VMmanager, provides legitimate control panels for hosting providers, enabling management of virtual servers and operating system maintenance. Their VMmanager platform allows customers to quickly spin up Windows or Linux virtual machines.

However, Sophos discovered that VMmanager’s default Windows templates reuse identical hostnames and system identifiers with each deployment. This design choice, intended for convenience, has become a vulnerability that bulletproof hosting providers are exploiting.

These rogue hosting providers, known for supporting cybercrime operations and ignoring takedown requests, use VMmanager to spin up virtual machines specifically for command-and-control infrastructure and payload delivery. By hosting malicious systems alongside thousands of legitimate ones, they create a smokescreen that complicates attribution and makes rapid response nearly impossible.

The research identified a concerning concentration of malicious VMs hosted by providers with notorious reputations or international sanctions. Companies like Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT appeared repeatedly in the analysis.

Even more troubling was the discovery of MasterRDP, a provider with direct control over physical infrastructure that uses VMmanager specifically for evasion purposes. This company offers VPS and RDP services that explicitly do not comply with legal requests, creating a safe haven for cybercriminals.

Sophos’ analysis revealed that just four ISP system hostnames account for over 95% of internet-facing ISP system virtual machines:

– WIN-LIVFRVQFMKO
– WIN-LIVFRVQFMKO
– WIN-344VU98D3RU
– WIN-J9D866ESIJ2

Each of these identifiers appeared consistently in customer detection data or telemetry linked to criminal activity, confirming their widespread abuse.

The attractiveness of ISP system VMmanager to cybercriminals is multifaceted. Beyond the technical vulnerabilities, the platform offers low cost, minimal barriers to entry, and turnkey deployment capabilities that allow even unsophisticated actors to establish sophisticated infrastructure quickly.

This discovery highlights a growing trend in cybercrime: the weaponization of legitimate infrastructure. Rather than building custom command-and-control servers that are easily identifiable and blockable, attackers are hiding in plain sight among legitimate systems, using trusted platforms as their operational base.

The implications extend far beyond individual ransomware incidents. This technique enables persistent, resilient criminal infrastructure that can withstand traditional takedown efforts and law enforcement actions. Each compromised VM represents not just a single attack vector, but potentially an entire network of interconnected malicious systems.

BleepingComputer reached out to ISP system for comment on their awareness of this large-scale abuse and any planned remediation efforts. However, the company had not provided a statement at the time of publication.

This revelation serves as a stark reminder that in the evolving landscape of cybersecurity, the line between legitimate and malicious infrastructure is becoming increasingly blurred. Defenders must now consider not just known bad actors, but also the potential abuse of trusted platforms and services that form the backbone of the internet.

The sophistication of this approach demonstrates that ransomware groups and other cybercriminals are continuously evolving their tactics, finding new ways to exploit legitimate systems for malicious purposes. As virtual infrastructure becomes more prevalent and accessible, this type of abuse is likely to increase, requiring new approaches to threat detection and response.

#Ransomware #Cybersecurity #CyberCrime #VirtualMachines #ISPsystem #VMmanager #ThreatIntelligence #Malware #InfoStealer #LockBit #BlackCat #Conti #Qilin #Ursnif #RedLine #Lummar #Sophos #DigitalForensics #InfraAbuse #CyberAttack #SecurityResearch #MaliciousInfrastructure #CommandAndControl #PayloadDelivery #CyberThreat #VirtualInfrastructure #HostingSecurity #RansomwareTactics #CyberSecurityNews #ThreatActors #DigitalCrime #SecurityVulnerability #MalwareCampaign

ISPsystem VMmanager abuse
Ransomware infrastructure hiding
Legitimate platforms weaponized
Virtual machine exploitation
Bulletproof hosting providers
Ransomware command and control
Cybercrime infrastructure camouflage
Default hostname exploitation
Persistent criminal infrastructure
Virtual server abuse
Malicious payload delivery
Cybersecurity blind spot
Hosting provider liability
Ransomware group collaboration
Infostealer distribution networks
Sophos threat research
Digital crime evolution
Infrastructure-level threat
Virtualization management abuse
Ransomware operation sophistication
Legitimate service exploitation
Cybercriminal infrastructure resilience
Hosting service abuse
Ransomware delivery mechanisms
Virtual machine fingerprinting
Cybercrime operational security
Infrastructure-based threat detection
Ransomware infrastructure mapping
Virtual server compromise
Legitimate platform exploitation
Cyber threat evolution
Ransomware group tactics
Infrastructure-level compromise
Virtual machine abuse
Cybercrime infrastructure analysis
Ransomware delivery infrastructure
Legitimate service weaponization
Cyber threat landscape
Ransomware infrastructure investigation
Virtual server exploitation
Cybercrime infrastructure sophistication
Ransomware operation analysis
Infrastructure-based cyber attacks
Virtual machine compromise
Cyber threat intelligence
Ransomware infrastructure research
Legitimate platform abuse
Cybercrime infrastructure mapping
Ransomware delivery networks
Virtual infrastructure exploitation
Cyber threat landscape evolution,