Ransomware Gangs Share ISPsystem VMs to Hide Attacks

Ransomware operators aren't building bespoke attack infrastructure anymore. They're renting it off the shelf—from the same supplier, using the same templates, with the same default Windows hostnames. Sophos researchers published findings this week showing that bulletproof hosting providers have been mass-provisioning ISPsystem VMmanager virtual machines to cybercriminal clients, creating a shared infrastructure layer that spans some of the biggest names in ransomware.

What Sophos Found

The investigation started with a routine WantToCry ransomware incident. Sophos analysts noticed the attacker's command-and-control server ran on a Windows VM with an unusual NetBIOS hostname: WIN-LIVFRVQFMKO. That hostname turned up again. And again. Across unrelated cases, across different threat actors, the same four hostnames kept appearing.

As of December 2025, those four hostnames accounted for over 95% of all internet-facing ISPsystem VMs:

• WIN-LIVFRVQFMKO (Windows Server 2019) — 7,937 exposed hosts
• WIN-BS656MOF35Q (Windows Server 2022) — 7,825 exposed hosts
• WIN-344VU98D3RU (Windows Server 2012 R2) — 7,437 exposed hosts
• WIN-J9D866ESIJ2 (Windows Server 2016) — 3,645 exposed hosts

The root cause is mundane. ISPsystem's VMmanager platform ships Windows templates with hardcoded, non-randomized hostnames and self-signed certificates. Every VM provisioned through the default workflow gets an identical identifier. Sophos confirmed this by deploying their own test VM and receiving WIN-J9D866ESIJ2 automatically.

A Shared Criminal Supply Chain

What makes these findings alarming isn't the hostname duplication itself—it's who's using these VMs. Sophos traced the same hostnames back to operations by LockBit, Qilin, Conti, BlackCat/ALPHV, RagnarLocker, and WantToCry ransomware groups. The same infrastructure also hosted NetSupport RAT, Ursnif banking malware, RedLine and Lumma infostealers, and ClickFix social engineering campaigns.

One historical link stands out. A system using WIN-LIVFRVQFMKO was traced to "Bentley"—later identified as Maksim Galochkin, a Conti operator sanctioned by both the U.S. and UK governments. He used it in late 2021 to access private Jabber chats shared by operators behind Conti and TrickBot.

The pattern isn't individual actors independently choosing ISPsystem. It's a supply chain. Bulletproof hosting providers like MasterRDP (operating under the rdp.monster brand) lease pre-configured ISPsystem VMs through underground forums and Telegram channels at tiered pricing based on compute resources.

The Hosting Providers Behind the Infrastructure

Sophos identified several hosting providers disproportionately associated with these VMs. Stark Industries Solutions Ltd., founded in February 2022—timing that coincides with Russia's invasion of Ukraine—hosts hundreds of systems across the identified hostnames. The European Council issued restrictive measures against the company in May 2025 for enabling "various Russian state-sponsored and affiliated actors to conduct destabilizing activities."

First Server Limited, another top provider, has connections to Doppelganger, a Russian disinformation operation. UK authorities sanctioned its associated operators in October 2024.

Other providers appearing in the data include Zomro B.V., Partner Hosting LTD, and JSC IOT. The geographic concentration falls heavily on Russia and CIS countries, with presence in Europe and the United States as well.

Why This Setup Works for Attackers

The appeal is straightforward. ISPsystem VMmanager is legitimate commercial software used across the hosting industry. Its low cost and turnkey deployment make it easy to spin up infrastructure fast. And because thousands of compliant businesses also run on the same platform with the same default hostnames, malicious servers blend into a haystack of over 27,000 identically fingerprinted systems.

Even if one server gets flagged and taken down, hundreds of functionally identical machines remain operational. This is a problem that CISA and ransomware task forces have been grappling with for years—takedowns work against specific nodes, but not when the attacker can replace infrastructure in minutes.

The trend also fits a broader pattern. Attackers have been increasingly abusing virtual machines to evade detection, from the early "bring your own VM" technique pioneered by RagnarLocker in 2020 to the recent VMware ESXi sandbox escapes that CISA confirmed are being used in ransomware campaigns. ISPsystem abuse represents the infrastructure side of that same coin—VMs as disposable attack platforms rather than evasion tools on a victim's own network.

What's Being Done

ISPsystem has released an update to VMmanager that implements random hostname generation for new deployments, which eliminates the identifier overlap for freshly provisioned VMs. That doesn't do anything for the 27,000+ existing systems already running with default hostnames, though.

For defenders, the Sophos report offers a concrete detection opportunity. Security teams monitoring network traffic or DNS logs can flag connections to systems matching these four hostnames. While a match alone doesn't confirm malicious activity—plenty of legitimate ISPsystem VMs exist—it does warrant closer inspection, especially when combined with other indicators.

Organizations running ransomware detection and response programs should add these hostnames to their threat intelligence feeds. The concentration among a handful of hosting providers also gives law enforcement a relatively narrow set of targets for disruption efforts, though the involvement of abuse-tolerant providers in Russia complicates that calculus.

The bigger takeaway: ransomware infrastructure has become commoditized to the point where competing groups share not just tactics and tooling, but the actual servers they operate from. Attribution based on infrastructure alone is becoming less reliable when everyone's renting from the same landlord.