"Attackers using the WantToCry ransomware appear to be using only two computers. Nothing could be further from the truth: research shows that the VMmanager tool is being used for hosting by legitimate suppliers, but by cyber attackers. Several cybercriminal groups are using this form of camouflage, according to Sophos' Counter Threat Unit Research Team. The two hostnames, WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO, appear to be quite common."
"The providers are "bulletproof," meaning they ignore claims of illegal activity on their servers and do not ask their users about the purposes of their IT infrastructure. One of the most popular is Zomro, a company that appears to have a branch in the Dutch town of Enschede but only provides customer contact in English or Ukrainian on its own website. Stark Industries Solutions Limited is another notorious cloud player."
"The two most popular hostnames for online Windows systems use a version of the OS that can run free for 180 days. According to Sophos, they use VMmanager, a management tool from the legitimate ISPsystem. Four hostnames, including the two from WantToCry, account for 95 percent of all ISPsystem VMs. Sophos observed activity from several notorious cybercriminal groups, such as LockBit, Conti, Qilin, WantToCry, and BlackCat/ALPHV."
Cybercriminals are abusing the VMmanager tool from ISPsystem to host ransomware and other malicious operations on virtual machines. Two hostnames, WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO, recur frequently across deployments, with highest occurrences in Russia, the Netherlands, and Germany. Several cloud providers described as 'bulletproof', including Zomro and Stark Industries Solutions Limited, are used to ignore abuse complaints. Some virtual machines run free-trial Windows images valid for 180 days, facilitating short-term malicious activity. Multiple ransomware groups — LockBit, Conti, Qilin, WantToCry, and BlackCat/ALPHV — have been observed using these VMmanager-hosted environments. Criminals favor major internet hubs such as AMS-IX and DE-CIX in the Netherlands and Germany to blend malicious traffic with legitimate infrastructure.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]