VM templates used by cybercriminals reveal an identical host name trick that drives the ransomware

In the insides of the virtual hosting business something apparently harmless - virtual machine templates ready to use - has become a powerful lever for cybercriminals. Researchers from the Sophos security firm have detected that Ransomware and malware operators are taking advantage of default templates from a legitimate virtualization manager to deploy, on a large scale, manipulated Windows servers that host and distribute malicious loads.

The key to abuse is the mathematical re-use of identifiers and equipment names. The default templates provided by VMmanager, the ISPsystem virtualization solution, generate instances with identical system names and parameters each time they are deployed. This allows malicious actors to raise hundreds or thousands of VMs with almost identical signals and to dedicate them to functions such as command and control servers (C2) or repositories for the delivery of ransomware and Trojans.

Sophos's work, which you can consult in his original report, also shows that these same host names appear repeatedly in infrastructure linked to high-profile groups: from LockBit and BlackCat / ALPHV to Conti, Qilin and families of Trojans like Ursnif. They have also identified their use in campaigns that distribute info-stealers such as RedLine and Lummar. The repetition of the same identifiers in criminal contexts is the lead that led researchers to discover the pattern of abuse. More information in the technical release of Sophos: Sophos: Malicious use of virtual machine infrastructure.

According to Sophos, four specific host names generated by these templates concentrate the practice of most Internet-accessible VMs managed by ISPsystem, which facilitates the tracking of the technique. These names include WIN-LIVFRVQFMKO, WIN-344VU98D3RU and WIN-J9D866ESIJ2, all of which are detected in telemetry related to criminal activities. The finding not only points to a bad configuration or design: it shows how the combination of easy-to-use software and hosting providers with little or no diligence creates an attractive environment for crime.

Not all suppliers are equal. Sophos detected that most malicious VMs are housed in a small group of suppliers with questionable reputation or subject to sanctions, including names such as Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD and JSC IOT. There is also an actor called MasterRDP, who according to researchers has control over physical infrastructure and offers VPS / RDP services without meeting legal requests, using VMmanager as an escape tool.

Why does this scheme work for the attackers? Because deploying a malicious infrastructure with cloned VMs is cheap, fast and low entry barrier. In addition, by "hiding" dangerous instances among thousands of legitimate VMs sharing patterns, research and mitigation measures become slower and less effective. The mixture of scalability, partial anonymity and lack of centralized control makes these environments a valuable resource for those who pursue extortion and theft of credentials.

From the perspective of defence, there are several clear lessons. First, virtualization management solutions developers should avoid templates that generate static system names and values: each VM needs a unique identifier by default. Secondly, infrastructure providers have a responsibility to implement monitoring measures and to respond to legal or international requests for cooperation to cut illegal activities on their networks. End-users and security equipment should implement anomalies detection, active inventories and telemetry rules that point to suspicious host names, and share relevant indicators with the community to facilitate blockades and coordinated actions.

Authorities and response teams also recommend general hardening measures against ransomware and malware that are useful here: create off-line backup, regularly apply patches, restrict unmanaged RDP access, and monitor abnormal behavior on the network. For institutional documentation on how to prepare for the Ransomware, the U.S. cybersecurity department offers practical guides: CISA - Ransomware Guidance.

ISPsystem is a legitimate company that develops control panels and tools for hosting providers; its VMmanager product is designed to facilitate the creation and management of VMs Windows and Linux. The ease of use of the product is precisely what makes it attractive for both legitimate customers and malicious actors when it falls into the hands of unscrupulous suppliers. More information about the company and its product on its corporate website: ISPsystem - VMmanager.

Specialized media such as BleepingComputer have reported on these findings and have tried to contact ISPsystem to know their position and correction plans, without receiving a public response at the time of publication. You can see the overall coverage of technology and security sites that collect research and its implications: BleepingComputer.

History highlights a recurring pattern in cybersecurity: tools designed to simplify legitimate operations can become means of abuse if they do not incorporate basic protections and if their supplier ecosystem lacks controls. The solution requires technical responsibility on the part of the manufacturer, diligence on the part of the hosting and surveillance providers on the part of the security equipment. Meanwhile, the community must keep alert and use available information - such as host names detected by Sophos - to quickly identify and deactivate malicious infrastructure that takes advantage of these templates.