Ethical Hacking News
Ransomware gangs have been using a legitimate virtual infrastructure management platform, ISPsystem's VMmanager, to deliver malicious payloads. The attackers are exploiting default templates with identical hostnames, making it easy to spin up new systems without being easily detectable. Sophos has called on ISPsystem to address the issue and take steps to prevent future abuse of their platform.
Ransomware gangs are exploiting ISPsystem's VMmanager platform to deliver malicious payloads. The attackers used default templates generated by ISPsystem's VMmanager, making it easy for them to spin up new systems without being easily detectable. Multiple ransomware operators and malware campaigns were using the same virtual machines, indicating a coordinated effort among cybercriminals. A small cluster of providers with a bad reputation or sanctions were hosting malicious virtual machines via VMmanager. ISPsystem's VMmanager is a legitimate platform that has been exploited due to its low cost and turnkey deployment capabilities.
Sophos, a leading cybersecurity company, has discovered that ransomware gangs are exploiting a legitimate virtual infrastructure management platform called ISPsystem's VMmanager to deliver malicious payloads. The researchers found that the attackers used Windows VMs with identical hostnames, suggesting default templates generated by ISPsystem's VMmanager.
The investigation was launched after Sophos observed recent "WantToCry" ransomware incidents and discovered that the attackers were using the same virtual machines to host their command-and-control (C2) infrastructure. Further analysis revealed that multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers, were using the same VMs.
The researchers also found that a small cluster of providers with a bad reputation or sanctions, including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT, were hosting malicious virtual machines via VMmanager. One provider, MasterRDP, even offered VPS and RDP services that did not comply with legal requests.
Sophos discovered that four of the most prevalent ISPsystem hotnames accounted for over 95% of the total number of internet-facing ISPsystem virtual machines. These hotnames were WIN-LIVFRVQFMKO, WIN-LIVFRVQFMKO, WIN-344VU98D3RU, and WIN-J9D866ESIJ2.
ISPsystem's VMmanager is a legitimate platform for virtualization management, but it has become attractive to cybercriminals due to its low cost, low barrier to entry, and turnkey deployment capabilities. The researchers note that the use of default templates with identical hostnames makes it easy for attackers to spin up new malicious systems without being easily detectable.
The exploitation of ISPsystem's VMmanager by ransomware gangs is a concerning discovery, as it highlights the vulnerability of legitimate platforms to being used for malicious purposes. This also emphasizes the importance of monitoring and reporting suspicious activity on virtual infrastructure management platforms.
In light of this discovery, Sophos has called on ISPsystem to address the issue and take steps to prevent future abuse of their platform. The company has also urged law enforcement agencies and cybersecurity organizations to be vigilant in detecting and mitigating such threats.
The discovery of ransomware gangs exploiting legitimate virtual infrastructure management platforms is a reminder of the ever-evolving nature of cyber threats and the need for constant vigilance and cooperation among stakeholders to combat them effectively.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Gangs-Exploit-Legitimate-Virtual-Infrastructure-Management-Platform-to-Deliver-Malicious-Payloads-ehn.shtml
Published: Thu Feb 5 16:41:51 2026 by llama3.2 3B Q4_K_M
