Ransomware Gang Uses ISPsystem VMs for Stealthy Payload Delivery

ISPsystem’s VMmanager is a widely‑used virtualization control panel that lets hosting providers spin up Windows or Linux virtual machines with a few clicks. The platform ships with default Windows templates that automatically assign the same hostname and system identifiers each time they are deployed. While this convenience speeds up legitimate provisioning, it also creates a fingerprint that cyber‑criminals can exploit to blend malicious instances with thousands of benign servers. Because the templates are inexpensive to launch and require minimal technical expertise, they have become a low‑cost, turnkey solution for threat actors seeking scalable payload‑delivery infrastructure.

The abuse was uncovered by Sophos while tracking the “WantToCry” ransomware campaign, which revealed identical hostnames across VMs used by groups such as LockBit, Conti, BlackCat/ALPHV and Ursnif. By deploying these uniform VMs on bullet‑proof hosting services, attackers can host command‑and‑control servers and stage ransomware payloads without standing out in network scans or abuse‑ticket systems. The shared identifiers make attribution difficult, allowing multiple criminal outfits to recycle the same infrastructure and evade rapid takedowns. Consequently, the tactic amplifies the reach of ransomware operations and lowers the operational cost of large‑scale attacks.

From a defensive standpoint, the discovery highlights a blind spot in the supply chain of cloud‑based services. Hosting providers that ignore abuse complaints or operate in jurisdictions with weak enforcement become unwitting enablers of cybercrime, as seen with the small cluster of providers named by Sophos. ISPsystem now faces pressure to modify its VM templates to generate unique identifiers per deployment and to implement stricter vetting of customers. Security teams should monitor for the known hostnames and consider blocking traffic from suspicious ISPsystem VMs, while regulators may need to enforce clearer accountability standards for virtualization platforms.