Ransomware operators abuse ISPsystem VMs for stealthy payload delivery

First reported

05.02.2026 22:57

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Ransomware operators are exploiting virtual machines (VMs) provisioned by ISPsystem's VMmanager to host and deliver malicious payloads at scale. Researchers at Sophos observed this tactic during investigations into 'WantToCry' ransomware incidents, noting that attackers used Windows VMs with identical hostnames, suggesting default templates generated by VMmanager. The same hostnames were found in the infrastructure of multiple ransomware groups, including LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers. ISPsystem's VMmanager platform allows malicious actors to spin up VMs for command-and-control (C2) and payload-delivery infrastructure, hiding malicious systems among thousands of innocuous ones. This complicates attribution and makes quick takedowns unlikely. The majority of the malicious VMs were hosted by a small cluster of providers with a bad reputation or sanctions, including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT.

Timeline

05.02.2026 22:57 1 articles · 2h ago

Ransomware operators abuse ISPsystem VMs for stealthy payload delivery
Ransomware operators are exploiting virtual machines (VMs) provisioned by ISPsystem's VMmanager to host and deliver malicious payloads at scale. Researchers at Sophos observed this tactic during investigations into 'WantToCry' ransomware incidents, noting that attackers used Windows VMs with identical hostnames, suggesting default templates generated by VMmanager. The same hostnames were found in the infrastructure of multiple ransomware groups and malware campaigns, indicating a widespread issue.
Show sources

Ransomware gang uses ISPsystem VMs for stealthy payload delivery — www.bleepingcomputer.com — 05.02.2026 22:57
Open in new tab

Information Snippets

Ransomware operators are using Windows VMs with identical hostnames generated by ISPsystem's VMmanager for malicious activities.
First reported: 05.02.2026 22:57

1 source, 1 article
Show sources
- Ransomware gang uses ISPsystem VMs for stealthy payload delivery — www.bleepingcomputer.com — 05.02.2026 22:57
The same hostnames were found in the infrastructure of multiple ransomware groups and malware campaigns.
First reported: 05.02.2026 22:57

1 source, 1 article
Show sources
- Ransomware gang uses ISPsystem VMs for stealthy payload delivery — www.bleepingcomputer.com — 05.02.2026 22:57
ISPsystem's VMmanager platform allows malicious actors to spin up VMs for C2 and payload-delivery infrastructure.
First reported: 05.02.2026 22:57

1 source, 1 article
Show sources
- Ransomware gang uses ISPsystem VMs for stealthy payload delivery — www.bleepingcomputer.com — 05.02.2026 22:57
The majority of the malicious VMs were hosted by a small cluster of providers with a bad reputation or sanctions.
First reported: 05.02.2026 22:57

1 source, 1 article
Show sources
- Ransomware gang uses ISPsystem VMs for stealthy payload delivery — www.bleepingcomputer.com — 05.02.2026 22:57
Four prevalent ISPsystem hostnames account for over 95% of the total number of internet-facing ISPsystem virtual machines linked to cybercriminal activity.
First reported: 05.02.2026 22:57

1 source, 1 article
Show sources
- Ransomware gang uses ISPsystem VMs for stealthy payload delivery — www.bleepingcomputer.com — 05.02.2026 22:57