Security researchers at Sophos, a cybersecurity solutions company, have found that thousands of internet-facing virtual machines share the same default hostnames, some of which have been used in ransomware and other cyberattacks.
In late 2025, SophosLabs analysts investigated several WantToCry ransomware cases. In each incident, the attackers used virtual machines with automatically generated NetBIOS hostnames taken from Windows templates provided through ISPsystem, a legitimate IT infrastructure management platform.
Sophos’ Counter Threat Unit (CTU) expanded the review and identified more internet-exposed systems using the same naming pattern. Some of these systems were tied to ransomware groups and the delivery of common malware.
Two hostnames, WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO, appeared repeatedly in different attacks. According to CTU and other researchers, these hostnames were linked to incidents involving LockBit, Qilin, and BlackCat, also known as ALPHV. One case also involved the use of NetSupport remote access trojan (RAT).
The hostname WIN-LIVFRVQFMKO was previously seen in 2021 when a user later identified as Maksim Galochkin logged into a private Jabber chat involving members of the Conti and TrickBot cybercrime groups. Those chat logs became public during the 2022 ContiLeaks incident. The same hostname surfaced again in a 2023 Ursnif malware campaign targeting organizations in Italy, and in 2024 during the exploitation of a FortiClient EMS vulnerability reported by Kaspersky.
According to the researchers, while the repeated use of these hostnames could suggest a single threat actor, internet scans tell a different story. Data from the Shodan search engine showed thousands of systems exposing Remote Desktop Protocol (RDP) services with these same hostnames in December 2025. At that time, 3,645 live hosts used WIN-J9D866ESIJ2 and 7,937 used WIN-LIVFRVQFMKO.
Most of these systems were located in Russia, with others in neighboring countries, Europe, and the United States. A small number were identified in Iran. Several hosting providers were linked to these machines, including Stark Industries Solutions Ltd and First Server Limited.
CTU and third-party researchers have previously observed cybercriminal and state-sponsored groups using infrastructure connected to Stark Industries Solutions Ltd. In May 2025, the European Council imposed restrictive measures on the company, citing its role in enabling Russian state-affiliated actors. Separate research has suggested that First Server Limited is connected to the Doppelganger disinformation campaign, which was sanctioned by the UK government in 2024.
Further investigation revealed that the hostnames originate from prebuilt Windows Server images distributed through ISPsystem’s VMmanager platform. When a customer deploys a virtual machine using these templates, the system generates the same default hostname and self-signed certificate.
To confirm this, CTU researchers created test virtual machines using VMmanager. Each deployment produced the same static hostname, showing that the naming pattern is embedded in the template and not randomized.
The four most common hostnames account for more than 95% of internet-facing systems using these ISPsystem templates. Two of the most popular versions use Windows Key Management Service (KMS), which allows the operating system to run for up to 180 days without individual licensing.
Sophos researchers also found advertisements on underground forums and Telegram promoting bulletproof hosting services linked to these systems. Such providers allow customers to host malicious content, including ransomware command-and-control servers, phishing sites, and malware distribution tools.
Sophos said ISPsystem VMmanager is a legitimate platform widely used by hosting companies. However, its low cost and ready-to-use templates can also attract cybercriminals who want fast and simple infrastructure for attacks.