Executive Summary

An investigation by Sophos has revealed how bulletproof hosting (BPH) providers are weaponizing legitimate server management software to create anonymous infrastructure for cybercrime. Researchers found that BPH providers are using ISPsystem's VMmanager, a tool for creating virtual machines, to provision servers for notorious ransomware groups. A default hostname pattern (WIN-J9D866ESIJ2) left by the software created a digital fingerprint, allowing Sophos to identify thousands of servers used in malicious operations. This infrastructure, provided by entities like Stark Industries Solutions and MasterRDP, has been directly tied to attacks involving top ransomware families such as LockBit, BlackCat, and Conti. This report details the symbiotic relationship between legitimate software vendors, complicit hosting providers, and elite cybercriminal gangs.

Threat Overview

This research exposes a key part of the cybercrime supply chain: the provisioning of anonymous, resilient infrastructure.

• Abused Software: ISPsystem VMmanager, a legitimate tool for managing virtualization.
• Malicious Technique: BPH providers use the software to rapidly deploy Windows virtual machines for their criminal clients. The software's default settings leave a consistent, identifiable hostname.
• Key Infrastructure Providers: Stark Industries Solutions (sanctioned by the EU for supporting Russian cyber operations), First Server Limited, and MasterRDP (also known as rdp.monster).
• Beneficiaries: Major ransomware-as-a-service (RaaS) groups including LockBit, BlackCat (ALPHV), Conti, and Qilin.

The core issue is not a vulnerability in the ISPsystem software, but its adoption and use by hosting providers who knowingly cater to criminals. These BPH providers form a foundational layer of the cybercrime economy.

Technical Analysis

The investigation began during the analysis of a ransomware attack where the virtual machine used by the attackers had a default hostname of WIN-J9D866ESIJ2. This is not a standard Windows hostname but is generated by the VMmanager software during the automated creation of a Windows Server VM.

By searching for this and similar default hostnames across the internet, Sophos was able to pivot and identify a massive network of servers with the same digital fingerprint. This allowed them to map out the infrastructure provided by the BPH services and link it to specific cybercriminal campaigns.

This technique of using default configurations as an identifier is a classic threat intelligence methodology. It highlights how even non-malicious artifacts can become powerful indicators when they are consistently associated with criminal activity. The BPH providers offer these pre-configured, anonymous RDP servers on underground forums, making it easy for less sophisticated actors to rent infrastructure for their attacks.

Impact Assessment

The abuse of legitimate software by BPH providers has a significant impact on the entire cybersecurity landscape:

• Lowers Barrier to Entry: It makes it cheap and easy for cybercriminals to acquire anonymous, fire-and-forget infrastructure, lowering the technical skill required to launch attacks.
• Complicates Attribution: The use of these intermediary hosting providers makes it difficult for law enforcement and researchers to trace attacks back to the actual threat actors.
• Enables Major Threats: This infrastructure is the backbone for some of the world's most destructive ransomware gangs, directly enabling billions of dollars in damages globally.
• Reputational Risk for Software Vendors: Legitimate companies like ISPsystem face reputational damage when their products are co-opted for criminal purposes, even if the software itself is not at fault.

Cyber Observables for Detection

The key observable from this research is the default hostname pattern.

Detection & Response

• Threat Intelligence: Security teams should add the identified BPH providers (Stark Industries Solutions, MasterRDP, etc.) and their associated IP ranges to blocklists and monitoring rules.
• Network Monitoring: Monitor for RDP or other remote access traffic to and from IP addresses associated with known BPH providers. The default hostname pattern can also be used as a hunting query in asset inventories or network logs.
• Incident Response: During an incident, if a server with a default hostname like WIN-J9D866ESIJ2 is identified, it should be treated as a strong indicator of an externally-managed malicious server, and immediate isolation is required.

Mitigation

• IP Reputation Filtering: Use threat intelligence feeds that track and block traffic from known malicious hosting providers and bulletproof services.
• Restrict RDP Access: Enforce strict controls on Remote Desktop Protocol. RDP should never be exposed directly to the internet. Access should be gated behind a VPN with multi-factor authentication.
• Supply Chain Due Diligence: While difficult, organizations should be aware of the hosting providers used by their partners and vendors. If a partner is using a known BPH service, it represents a significant supply chain risk.