Ransomware operators are hosting and delivering malicious payloads at scale by abusing virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider.
Researchers at cybersecurity company Sophos observed the tactic while investigating recent ‘WantToCry’ ransomware incidents. They found the attackers used Windows VMs with identical hostnames, suggesting default templates generated by ISPsystem’s VMmanager.
Diving deeper, the researchers discovered that the same hostnames were present in the infrastructure of multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers.
Source: Sophos
ISPsystem is a legitimate software company that develops control panels for hosting providers, used for the management of virtual servers, OS maintenance, etc. VMmanager is the company’s virtualization management platform used to spin up Windows or Linux VMs for customers.
Sophos found that VMmanager’s default Windows templates reuse the same hostname and system identifiers every time they are deployed.
Bulletproof hosting providers that knowingly support cybercrime operations and ignore takedown requests take advantage of this design weakness. They allow malicious actors to spin up VMs via VMmanager, used for command-and-control (C2) and payload-delivery infrastructure.
This essentially hides malicious systems among thousands of innocuous ones, complicates attribution, and makes quick takedowns unlikely.
The majority of the malicious VMs were hosted by a small cluster of providers with a bad reputation or sanctions, including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT.
Sophos has also discovered a provider with direct control of physical infrastructure named MasterRDP, which uses VMmanager for evasion and offers VPS and RDP services that do not comply with legal requests.
According to Sophos, four of the most prevalent ISPsystem hotnames “account for over 95% of the total number of internet-facing ISPsystem virtual machines:”
- WIN-LIVFRVQFMKO
- WIN-LIVFRVQFMKO
- WIN-344VU98D3RU
- WIN-J9D866ESIJ2
All of them were present either in customer detection or telemetry data linked to cybercriminal activity.
The researchers note that while ISPsystem VMmanager is a legitimate platform for virtualization management, it is also attractive to cybercriminals due to “its low cost, low barrier to entry, and turnkey deployment capabilities.”
BleepingComputer has contacted ISPsystem to ask if they are aware of the large-scale abuse of VM templates and their plans to address the issue, but a statement wasn’t available by publishing time.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.