Ransomware operators are abusing virtual machines provisioned via ISPsystem’s VMmanager to host and deliver malicious payloads at scale, hiding C2 and distribution servers among legitimate infrastructure. Sophos found identical default Windows hostnames reused across multiple criminal campaigns — including WantToCry, LockBit, Qilin, Conti, BlackCat/ALPHV, and Ursnif — enabling evasion and complicating takedowns. #WantToCry #VMmanager
Keypoints
- Ransomware operators host and deliver payloads using ISPsystem VMmanager VMs.
- Sophos linked identical default Windows hostnames to recent WantToCry incidents.
- The same VM hostnames appeared across multiple gangs and malware like LockBit, Qilin, Conti, BlackCat/ALPHV, Ursnif, RedLine, and Lummar.
- Bulletproof hosting providers exploit the template reuse to hide malicious VMs and ignore takedown requests.
- Reused hostnames and system identifiers complicate attribution and slow effective takedown despite VMmanager being a legitimate platform.