CYBERSECURITY | Legitimate VM platform used in global ransomware operations, study finds
The findings, published Feb. 4 by the Sophos Counter Threat Unit (CTU), detail how attackers used virtual machines provisioned through ISPsystem’s VMmanager platform in multiple ransomware incidents.
A new cybersecurity investigation has found that criminal groups are abusing legitimate virtualization management software to deploy ransomware and other malware at scale, exposing thousands of internet-facing systems worldwide.
The findings, published Feb. 4 by the Sophos Counter Threat Unit (CTU), detail how attackers used virtual machines provisioned through ISPsystem’s VMmanager platform in multiple ransomware incidents, including attacks linked to LockBit, Qilin, BlackCat and WantToCry.
Reused hostnames across global attacks
Investigators traced several 2025 ransomware incidents to virtual machines bearing autogenerated Windows hostnames derived from ISPsystem templates, including WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO. These same hostnames were associated with thousands of publicly exposed systems running Remote Desktop Protocol (RDP) services.
As of Dec. 19, 2025, researchers identified 3,645 live hosts using WIN-J9D866ESIJ2 and 7,937 using WIN-LIVFRVQFMKO. Most were located in Russia, with others in Europe, the United States and parts of the Commonwealth of Independent States. A smaller number were observed in Iran.
CTU analysis found these hostnames linked not only to ransomware activity but also to NetSupport RAT deployments, Ursnif campaigns and exploitation of a FortiClient EMS vulnerability.
However, the report cautioned against assuming that identical hostnames indicate a single threat actor. Instead, the scale suggests widespread deployment of preconfigured Windows Server images that embed static hostnames and self-signed certificate identifiers.
Hosting providers under scrutiny
Several hosting providers were associated with the exposed systems. The most prevalent were Stark Industries Solutions Ltd, Zomro B.V., First Server Limited, Partner Hosting LTD and JSC IOT.
According to the report, Stark Industries Solutions Ltd has previously been observed hosting infrastructure used by both cybercriminal and Russian state-sponsored groups. The European Council imposed restrictive measures against the company in May 2025 for allegedly enabling destabilizing activities linked to Russian actors.
Separate third-party research cited by Sophos suggests First Server Limited has connections to Doppelganger, a Russian disinformation campaign sanctioned by the UK government in October 2024.
The concentration of reused hostnames across a limited number of providers and geographic regions points to mass deployment of identical virtual machine templates rather than bespoke infrastructure built by individual actors.
Template images enable large-scale abuse
Further testing by CTU researchers confirmed that default Windows Server images distributed through ISPsystem’s VMmanager control panel embed static hostnames that are not randomized during deployment.
To validate the hypothesis, researchers acquired a virtual server from a provider using VMmanager and deployed a Windows instance under standard conditions. The resulting system automatically generated one of the commonly observed hostnames.
Additional testing using a trial installation of VMmanager produced the same outcome. A review of publicly accessible template repositories confirmed that multiple Windows Server images — spanning Windows Server 2012 R2 through Windows Server 2025, as well as Windows 10 and 11 variants — contain hardcoded identifiers.
The four most prevalent hostnames account for more than 95% of observed internet-facing ISPsystem virtual machines, according to the report. Two of the most widely used images were Key Management Service (KMS)-enabled versions, allowing Windows to operate during a 180-day grace period without individual licensing.
Bulletproof hosting ecosystem
CTU researchers also identified underground advertisements for bulletproof hosting (BPH) services tied to these VM deployments. BPH operators knowingly allow illicit activity and maintain infrastructure resistant to abuse complaints and law enforcement takedowns.
The infrastructure supports ransomware command-and-control servers, malware distribution, phishing operations, botnet management and data exfiltration staging.
One provider brand, MasterRDP, appeared frequently in datasets associated with ISPsystem-derived hostnames. Telegram posts and underground forums advertised virtual private servers and RDP access under that name.
The report stressed that ISPsystem VMmanager is a legitimate commercial virtualization management platform widely used across the hosting industry and is not inherently malicious. However, its low cost and turnkey deployment capabilities make it attractive to cybercriminal operators seeking scalable, abuse-tolerant infrastructure.
A Feb. 9 update removed earlier references suggesting a business relationship between MasterRDP and another provider, citing clarification from the latter.
————————————————————————-
WE ARE 10 YEARS OLD! TEN YEARS OF TECHSABADO, IMAGINE THAT.
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
