{"id":210495,"date":"2026-02-05T15:57:00","date_gmt":"2026-02-05T20:57:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/05\/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery\/"},"modified":"2026-02-05T19:00:17","modified_gmt":"2026-02-06T00:00:17","slug":"ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/05\/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery\/","title":{"rendered":"Ransomware gang uses ISPsystem VMs for stealthy payload delivery"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery\/\">Ransomware gang uses ISPsystem VMs for stealthy payload delivery<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-05 15:57:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>Ransomware operators are hosting and delivering malicious payloads at scale by abusing virtual machines (VMs) provisioned by\u00a0ISPsystem, a legitimate virtual infrastructure management provider.<\/p>\n<p>Researchers at cybersecurity company Sophos observed the tactic while\u00a0investigating recent \u2018WantToCry\u2019 ransomware incidents. They found the attackers used Windows VMs with identical hostnames, suggesting default templates generated by ISPsystem\u2019s VMmanager.<\/p>\n<p>Diving deeper, the researchers discovered that the same hostnames were present in the infrastructure of multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat\/ALPHV, and Ursnif, as well as various malware campaigns involving RedLine and Lummar info-stealers.<\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/www.bleepstatic.com\/c\/w\/GitLab-970x250.png\" alt=\"Wiz\" style=\"margin-top: 0px;\"\/><\/p>\n<p><img decoding=\"async\" alt=\"Location of devices using the same hostname\" height=\"493\" src=\"https:\/\/www.bleepstatic.com\/images\/news\/u\/1220909\/2026\/February\/vm-infrastructure-202602-fig1.jpg\" width=\"726\"\/><strong>Location of devices using the same hostname<\/strong><br \/>Source: Sophos<\/p>\n<p>ISPsystem is a legitimate software company that develops control panels for hosting providers, used for the management of virtual servers, OS maintenance, etc. VMmanager is the company\u2019s virtualization management platform used to spin up Windows or Linux VMs for customers.<\/p>\n<p>Sophos found that VMmanager\u2019s default Windows templates reuse the same hostname and system identifiers every time they are deployed.<\/p>\n<p>Bulletproof hosting providers that knowingly support cybercrime operations and ignore takedown requests take advantage of this design weakness. They allow malicious actors to spin up VMs via VMmanager, used for command-and-control (C2) and payload-delivery infrastructure.<\/p>\n<p>This essentially hides malicious systems among thousands of innocuous ones, complicates attribution, and makes quick takedowns unlikely.<\/p>\n<p>The majority of the malicious\u00a0VMs were hosted by a small cluster of providers with a bad reputation or sanctions, including Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT.<\/p>\n<p>Sophos has also discovered a provider with direct control of physical infrastructure named MasterRDP, which uses VMmanager&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware gang uses ISPsystem VMs for stealthy payload delivery https:\/\/www.bleepingcomputer.com\/news\/security\/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery\/ Publish Date: 2026-02-05 15:57:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":210496,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2025\/02\/12\/ransomware-3.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-210495","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210495"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=210495"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210495\/revisions"}],"predecessor-version":[{"id":210497,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/210495\/revisions\/210497"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/210496"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=210495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=210495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=210495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}