Advisory ID: NCC-CSIRT-2026-005
Summary:
Cybersecurity researchers have uncovered a stealthy tactic employed by ransomware operators that involves abusing ISPsystem VMmanager virtual machines. Threat actors, including operators of major ransomware families such as LockBit, Qilin, BlackCat/ALPHV, WantToCry, and Ursnif-linked campaigns, are arming Windows VMs via hosting providers that use VMmanager. Because early templates of these VMs reuse identical hostnames and system identifiers, attackers can camouflage malicious servers among legitimate ones and evade detection and takedown efforts. This infrastructure is then used to host and deliver ransomware payloads at scale.
Damage/Probability: Critical/High
Product(s):
- ISPsystem VMmanager platform, virtualization management software used by hosting providers to deploy Windows/Linux virtual machines (VMs).
- Bulletproof hosting providers that deploy VMmanager-provisioned VMs.
- Ransomware payload delivery infrastructure using ISPsystem VMs for hosting and C2.
Version(s):
Affects default ISPsystem VMmanager Windows VM templates that reuse static hostnames and system identifiers, later updated to randomize hostnames.
Platform(s):
Internet-facing virtual machines provided by hosting services leveraging ISPsystem VMmanager, used as infrastructure for ransomware and malware distribution.
Description:
Sophos researchers observed that threat actors are using VMs provisioned via ISPsystem’s Vmmanager, a legit virtualization management platform, to host ransomware payloads and command-and-control (C2) services. The underlying issue exploited is a design weakness in default VM templates, where every new Windows VM receives the same hostname and system identifiers. This uniformity enables ransomware operators to scale infrastructure quickly while making malicious VMs appear consistent with benign ones from an automated monitoring perspective.
Attackers rent these VMs through bulletproof hosting providers that are known to tolerate or actively support cybercriminal operations. These providers often ignore law enforcement or abuse reports, further complicating disruption efforts. Once provisioned, these VMs serve as a stable platform that hosts ransomware payloads, staging scripts, or C2 endpoints for major ransomware families like LockBit, Qilin, BlackCat/ALPHV, WantToCry, and Ursnif-related campaigns.
The misuse of commodity infrastructure highlights a shift in how ransomware gangs manage their infrastructure: rather than building bespoke botnets, they leverage accessible, high-bandwidth cloud resources, effectively “blending in” with legitimate network traffic.
Threat Types:
- Infrastructure abuse: Leveraging legitimately provisioned virtual machines for malicious payload hosting.
- Evasion: Blending criminal infrastructure with legitimate cloud services to complicate detection and forensic attribution.
- Ransomware delivery: Hosting and distribution of ransomware installers and C2 infrastructure.
- Defense evasion: Use of bulletproof hosting providers that ignore abuse takedown requests.
Impacts:
- Ransomware campaigns gain persistent delivery infrastructure that may bypass security filters due to association with legitimate hosting platforms.
- Shared static identifiers and broad use by multiple threat actors make it harder for defenders to rapidly identify and remove malicious VMs.
- Ransomware operators operate a more resiliently distributed infrastructure, increasing the volume and scale of ransomware attacks globally.
- The method supports not just ransomware but adjacent campaigns involving info-stealers and other malware families.
Solutions:
NCC-CSIRT recommends the following mitigation steps:
- Block traffic to known malicious hosts using threat intel.
- Quarantine VMs with static or suspicious ISPsystem hostnames.
- Alert on ransomware IOCs and identical-hostname VM activity.
- Restrict outbound traffic to bulletproof hosts and unvetted VPNs.
- Hunt for ransomware infrastructure across network logs.
- Report abuse to hosting providers to limit malicious VMs.
- Block ransomware-linked VM instances.
- Detect cloud-based payload delivery via enhanced SIEM rules.
- Coordinate with cloud providers for VM randomization and fast takedowns.
References: