Bulletproof hosting providers renting cheap infrastructure to supply virtual machines to ransomware hackers

1. Pro
2. Security

Bulletproof hosting providers renting cheap infrastructure to supply virtual machines to ransomware hackers News By Sead Fadilpašić published 5 February 2026

Most high-profile ransomware groups were using the same infrastructure

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• Sophos reports bulletproof hosting providers renting VMmanager-based servers to cybercriminals
• Identical Windows templates leave thousands of exposed servers exploited for ransomware and malware campaigns
• Infrastructure linked to major groups (LockBit, Conti, BlackCat, Qilin, TrickBot, etc.) and sanctioned Russian hosting firm

Bulletproof hosting providers are renting cheap infrastructure to cybercriminals, providing them with virtual machines they can use in ransomware attacks, new research has found.

A report from Sophos explained how legitimate services were being abused to launch attacks at massive scales without the need to build custom infrastructure.

Whilst investigating several ransomware attacks, the team discovered many attackers were using Windows servers with identical hostnames (a name assigned to a device on a network). Since it was obvious that all those attacks couldn’t have been done by a single attacker, they dug deeper and found that the systems were actually virtual machines created from the same prebuilt Windows templates.

You may like

• Another bulletproof hosting service has been locked down by global law forces
• Bulletproof hosting service shut down in massive police sting
• Microsoft hits global virtual desktop cybercrime phishing platform - 'RedDVS' caused phishing chaos and resulted in millions of losses

Abuse through bulletproof hosting

These were supplied by ISPsystem VMmanager, a legitimate virtualization platform that’s apparently widely used among hosting providers. When they create a new VM, the templates don’t randomize hostnames, resulting in thousands of unrelated servers on the internet ending up looking almost identical.

Now, Sophos says cybercriminals are exploiting this, at scale, through bulletproof hosting providers (hosting companies that don’t react to takedown requests or abuse reports) which rent out VMmanager-based servers to crooks.

Using Shodan, the researchers managed to find tens of thousands of internet-exposed servers with the same hostnames. Almost all of them (95%) came from a handful of Windows templates, and many were KSM-enabled (Windows runs free for 180 days without a license).

Sophos says the servers are linked to major malicious operations: LockBit, Conti, BlackCat (ALPHV), Qilin, TrickBot, Ursnif, RedLine, NetSupport, and many others. It also said most of the infrastructure was tied to specific hosting companies, and singled out two names - Stark Industries Solutions, and First Server Limited.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Both are apparently linked to Russian state-sponsored threat actors and have been sanctioned by the EU and UK in the past.

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Another bulletproof hosting service has been locked down by global law forces    Bulletproof hosting service shut down in massive police sting    Microsoft hits global virtual desktop cybercrime phishing platform - 'RedDVS' caused phishing chaos and resulted in millions of losses    Threats to watch this year: from data theft and extortion to EDR killers    Hackers use 'Blue Screen of Death' malware to target victims    Akira ransomware is now targeting Nutanix VMs - and scoring big rewards    Latest in Security Startups, listen up: Proton says you're not "too small" to be hacked    ExpressVPN unveils new standalone password manager – ExpressKeys is now available for iOS and Android    Critical n8n flaws discovered - here's how to stay safe    NGINX servers hijacked in global campaign to redirect traffic    Personal data stolen during Harvard and UPenn data breaches leaked online - over a million details, including emails, home addresses and more, all published    Dangerous new malware exploits WinRAR flaw - here's what we know    Latest in News Guerrilla announces Horizon Zero Dawn spin-off Horizon Hunters Gathering, a 'tactical' 3-player co-op action game coming to PS5 and PC    The Elder Scrolls 4: Oblivion Remastered is coming to Nintendo Switch 2 this year, along with two other huge Bethesda games    Forget Seahawks vs Patriots: Wix vs Squarespace is the real showdown at Super Bowl 2026    Sony says Ghost of Yotei made a 'significant contribution' to the 8 million PS5 units that were sold in late 2025, a feat that surpassed the Nintendo Switch 2 by 1 million units    Steam Machine is delayed due to RAM crisis — and price is to be 'revisited'    Marvel fans have their say on two new rumors about Avengers: Secret Wars    LATEST ARTICLES

1. 1I tested the Notta Memo and ditched handwritten notes for searchable AI transcripts
2. 2AI bot web traffic is closing in on human usage, experts warn
3. 3Guerrilla announces Horizon Zero Dawn spin-off Horizon Hunters Gathering, a 'tactical' 3-player co-op action game coming to PS5 and PC
4. 4Experience Super Bowl LX like a local with this VPN that's superb at streaming Peacock and NBC
5. 5Critical n8n flaws discovered - here's how to stay safe