A surprising link between legitimate IT software and major cybercriminal operations. While investigating attacks by the “WantToCry” ransomware gang, analysts noticed that the attackers were using virtual machines (VMs) with identical, computer names (hostnames) like WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO.
These names were not random. They were automatically generated by ISPsystem, a completely legitimate company that makes software for managing web servers.
Hosting providers use ISPsystem’s “VMmanager” to quickly create Windows servers for customers.
However, the default settings in these templates give every new server the exact same name. This design quirk created a digital fingerprint that allowed researchers to find thousands of these machines all over the internet.
The “Bulletproof” Connection
In late 2025, SophosLabs analysts investigated several WantToCry remote ransomware incidents.
The problem is not the software itself, but who is using it. Researchers found that specific “bulletproof” hosting providers companies that ignore laws and refuse to shut down criminal servers were buying this software to sell servers to bad actors.
Two providers, Stark Industries Solutions and First Server Limited, were hosting the vast majority of these suspicious machines.
Stark Industries has been linked to Russian state-sponsored cyber activities and was sanctioned by the European Union in May 2025 for helping destabilize European nations.
Another key player identified was MasterRDP (also known as rdp.monster), which openly advertises anonymous servers for hackers on underground forums.
| WIN-J9D866ESIJ2 hosting providers | # of hosts |
|---|---|
| First Server Limited | 592 |
| Stark Industries Solutions Ltd | 576 |
| Zomro B.V. | 308 |
| Global Connectivity Solutions LLP | 189 |
| Kontel LLC | 148 |
By late 2025, over 95% of the internet-facing servers using these specific ISPsystem names were concentrated in Russia and linked to just four distinct hostnames.
These weren’t just used for small-time scams. They were the launchpads for some of the world’s most dangerous ransomware gangs, including:
- LockBit.
- BlackCat (ALPHV).
- Conti (historical data).
- Qilin.
In one case, a specific server name was even linked to a sanctioned individual named “Bentley,” a known member of the TrickBot and Conti cybercrime groups.
Why This Matters
Thousands of servers share the same computer name and digital certificate, it becomes very hard for security teams to tell them apart or figure out exactly who is behind an attack.
| WIN-LIVFRVQFMKO hosting providers | # of hosts |
| Stark Industries Solutions Ltd | 634 |
| Zomro B.V. | 455 |
| First Server Limited | 414 |
| Partner Hosting LTD | 356 |
| JSC IOT | 355 |
It allows different criminal groups to hide inside a massive cloud of identical, anonymous servers.
While ISPsystem’s software is a standard tool for the industry, its low cost and ease of use have made it the perfect building block for the cybercriminal economy.
MasterRDP is one of many BPH providers within the cybercriminal ecosystem that lease ISPsystem virtual machines hosted on abuse-tolerant infrastructure to customers with malicious intentions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.