Reused Windows images hid ransomware servers

New Sophos research finds bulletproof hosting providers repeatedly deploy virtual machines from the same preconfigured Windows images, creating thousands of identically named servers that cybercriminal groups continue to exploit for cover.

More than 7,000 ransomware-linked servers surfaced under a single Windows hostname, making unrelated gangs appear connected.
Sophos traced LockBit, Qilin, ALPHV/BlackCat, and others back to servers spun up from the same Windows image.
Bulletproof hosting providers reused Windows images at scale, giving cybercriminal servers cover in plain sight.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

What’s more, the “VM reproduction shortcut” has apparently been in use by bulletproof hosting providers since at least 2021 – making it falsely appear to security researchers that ransomware operators have been sharing a single, sprawling infrastructure ecosystem.

According to a Sophos blog published on Wednesday, the servers – often rented by cybercriminal groups – are spun up from the templated Windows images without altering the default settings, leaving identical hostnames in place across thousands of deployments.

“Bulletproof hosting providers (BPH) are abusing the legitimate ISPsystem infrastructure to supply virtual machines to cybercriminals,” Sophos wrote, adding that the "infrastructure commonly supports ransomware command and control (C2) servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging.”

Microsoft Windows, vulnerability — Thousands of deployed Windows machines have the same hostname. Image by Cybernews.

For those unfamiliar, ISPsystem infrastructure is a legitimate virtualization management platform used by hosting companies to offer VPS and VM services.

Partly out of laziness, BPH companies – known for lax oversight and for tolerating criminal activity – abuse this infrastructure to rapidly deploy large numbers of servers – causing thousands of these otherwise independent servers to share identical hostnames.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Because of this, the unrelated cybercriminal groups end up using machines that look identical, making tracking, attribution, and takedowns much harder, Sophos says.

From the outside, these thousands of rented servers look like one massive shared botnet – or one super-busy threat actor.

Basically, the issue is that Windows images shipped by VMmanager come with hardcoded hostnames that are not randomized during deployment.

So, every time someone creates a virtual machine (VM) from that template, the system assigns the same hostname again and again.

Sophos said it first uncovered the unusual correlation during a routine ransomware investigation, noting that many of the attacks originated from Windows servers with the exact same computer names.

Researchers found four of the most common names in use linked to malicious activity. Deployed Windows server versions follow as Windows 2012 R2, 2016, 2019, and 2022.

WIN-344VU98D3RU
WIN-J9D866ESIJ2
WIN-LIVFRVQFMKO
WIN-BS656MOF35Q

For example, more than 7,000 servers were found in the wild with just a single hostname, many of them appearing to originate from Russia, Europe, the US, and even Iran and Israel.

“It would be tempting to conclude that each hostname is used by a single threat actor engaging in a range of criminal behavior… However, according to the Shodan search engine … there were 3,645 live hosts exposing the hostname WIN-J9D866ESIJ2 and 7,937 with hostname WIN-LIVFRVQFMKO,” Sophos said

Locations of reused Windows machine hostnames — Locations of devices using these hostnames based on associated IP address. Image by Sophos.

Sophos also found that many of these identical VMs were hosted by bulletproof providers already linked to Russian cybercrime, sanctioned entities, and state-aligned operations.

Researchers further identified “extensive references” to a BHP named MasterRDP also operating under the “rdp.monster brand, in datasets associated with systems exposing ISPsystem-derived hostnames.”

The group found the "rdp.monster" advertised on multiple underground forum posts and public ads on Telegram.

RDP.monster bulletproof hosting — Virtual machine services offered by "rdp.monster" (also known as MasterRDP). Image by Sophos.

How identical hostnames break ransomware attribution

Sophos traced back a multitude of notorious ransomware variants and malware threats to the same hostname-based infrastructure, including such big names as LockBit, Qilin, ALPHV/BlackCat, Conti, TrickBot, Ursnif, RedLine, and NetSupport RAT.

Ransomware strains: LockBit, Qilin, ALPHV/BlackCat, Conti, WantToCry
Malware campaigns: ClickFix, PureRAT, and Lumma stealer
Infostealers/Trojans: Ursnif, RedLine, TrickBot, NetSupport RAT

Sophos said it observed the same hostnames used by different criminals across different years, appearing in attacks spanning 2021, 2023, and 2025.

Sophos explains there are several reasons for this: the Windows template never changes, new criminals keep deploying the same image, and as old servers are shut down, new ones pop up with the same name but new IP addresses.

Sohpos says the proliferation of identically named servers also makes it that much more difficult for security researchers when it comes to criminal attribution and infrastructure takedowns.

It also provides the perfect environment for bad actors running short-lived ransomware operations, offering cover amid a sea of legitimate enterprise deployments.

Unlock more exclusive Cybernews content on YouTube.

Share

Post

Share

Bulletproof hosting reused Windows images, masking ransomware infrastructure

Why thousands of virtual servers share the same hostname

How identical hostnames break ransomware attribution