Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoing

Ransomware gangs are renting cheap virtual machines (VMs) rather than building their own servers, with thousands effectively sharing the same infrastructure.

Analysis from Sophos found criminals are leasing VMs from bulletproof hosting (BPH) services like MasterRDP, exploiting legitimate ISPsystem infrastructure.

The advantage of this strategy is that it allows hackers to scale operations, remain anonymous, and keep activities running. Even if one server is taken down, hundreds just like it still exist.

Sophos uncovered the practice while investigating multiple WantToCry ransomware incidents. It found that the attacker servers all had the same autogenerated Windows hostnames, which kept popping up across incidents and multiple countries.

Latest Videos From

Watch full video here:

The team found more than 7,000 servers in the wild sharing a single hostname, many of which appeared to originate from Russia, Europe, the US, and even Iran and Israel.

"Based on CTU and third-party observations, the two hostnames used in the WantToCry ransomware activity (WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO) have been used in multiple incidents," the Sophos Counter Threat Unit Research Team said.

"This malicious activity includes cybercriminal attacks involving LockBit, Qilin, and BlackCat (also known as ALPHV) ransomware, and an additional deployment of NetSupport RAT."

This infrastructure is commonly used to support ransomware command and control (C2) servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging.

The practice appears to have been going on for at least five years, researchers noted.

Cheaper attacks, but easier to track

Crucially, the use of reused VM hostnames is enabling security researchers to track activities more effectively, with thousands of ISPsystem VMs sharing static hostnames, many linked to ransomware and malware campaigns.

Most affected VMs are hosted by a small set of providers, some of which are tied to state-sponsored hacker or cyber criminal activity.

"While there is likely to be some legitimate activity originating from virtual machines with these hostnames from these hosting providers, there is additional data that links the top two providers (Stark Industries Solutions Ltd and First Server Limited) to cybercriminal and Russian state-sponsored operations," the researchers said.

"CTU and third-party researchers have observed multiple state-sponsored and cybercriminal threat groups use Stark Industries Solutions Ltd infrastructure since its founding in February 2022, just before Russia’s invasion of Ukraine."

Cyber crime infrastructure takedowns continue

In May last year, the European Council issued “restrictive measures” against Stark Industries Solutions and its operators for enabling various Russian state-sponsored and affiliated actors to conduct destabilizing activities.

Meanwhile, First Server Limited appears to be closely connected to Doppelganger, a Russian disinformation campaign whose operators and associated entities were sanctioned by the UK government in October 2024.

Sophos said it’s highly likely that MasterRDP is just one of many BPH providers leasing ISPsystem virtual machines hosted on abuse-tolerant infrastructure to customers with malicious intentions, including those engaged in ransomware operations and malware delivery.

"ISPsystem VMmanager is a legitimate commercial virtualization management platform widely used across the hosting industry, and the software itself is not malicious," researchers said.

"However, its low cost, low barrier to entry, and turnkey deployment capabilities make it attractive to cybercriminals while its widespread legitimate use provides operational cover among thousands of compliant deployments."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.