Ransomware operators are increasingly leveraging legitimate virtualization services to host and deliver malicious payloads at scale, blending their infrastructure into benign cloud systems to stay under the radar.

Researchers at Sophos uncovered that attackers are abusing ISPsystem’s VMmanager platform—a virtualization management solution used by many hosting providers—to spin up virtual machines (VMs) that mask malicious operations among ordinary cloud workloads.

What’s Happening

Sophos found that ISPsystem’s VMmanager tool uses default Windows VM templates that repeatedly generate the same hostnames and system identifiers. Attackers take advantage of this predictable behavior to deploy malicious VMs in bulk, which:

• Appear similar to legitimate infrastructure,

• Evade detection by blending in with thousands of normal VMs,

• Make takedown and attribution more difficult for defenders.

Threat actors use these VMs for key parts of their campaigns like command-and-control (C2) and payload delivery, effectively hiding ransomware tooling among a sea of innocuous virtual servers.

Affected Actors & Infrastructure

Sophos’ analysis indicates that multiple ransomware groups and malware operations have utilized ISPsystem-provisioned VMs, including (but not limited to):

In many instances, the same VM hostnames (e.g., WIN-LIVFRVQFMKO and similar) appeared repeatedly across malicious infrastructure, which helped researchers link seemingly separate operations.

Why This Matters

This tactic matters because it blurs the line between legitimate and malicious cloud usage:

• Stealth & blending: Attackers take advantage of trusted virtualization platforms to mask their servers among legitimate infrastructure.

• Delayed detection: Using predictable, reused hostnames complicates rapid attribution and takedown efforts.

• Global impact: Multiple major ransomware families can co-opt the same virtualization ecosystem.

Additionally, many of the hosting providers facilitating these VM deployments have questionable reputations or are resistant to abuse takedown requests.

How ISPsystem Responded

After being contacted by BleepingComputer, ISPsystem acknowledged the abuse and rolled out an update to its VMmanager templates. The update introduces randomized hostname generation, which aims to reduce the risk of attackers reusing predictable identifiers for malicious deployments.

According to the statement, this change should help diminish one of the key techniques that enabled widespread misuse of their platform.

What Organizations Should Do

To protect against this evolving abuse tactic, security teams should:

• Enhance telemetry: Monitor for anomalous connections to cloud VM infrastructure—even if it appears legitimate.

• Behavior over reputation: Focus on behavioral and traffic anomalies instead of simply trusting infrastructure because it belongs to a known provider.

• Incident response readiness: Be prepared to pivot quickly when malicious VM usage is discovered within your environment.

Detecting and responding to ransomware operations that hide within legitimate cloud services is increasingly necessary as attackers adopt more sophisticated delivery methods.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.