Template Reuse Creates Identical Internet Fingerprints in VM Images

SophosLabs’ investigation into the WantToCry ransomware cases pulled back a curtain on a far more subtle problem than a single gang reusing servers: legitimate virtualization tooling and prebuilt VM images are creating identical, internet-facing fingerprints that cybercriminals and state-aligned operators can — and do — exploit at scale, blurring the line between legitimate hosting and bulletproof criminal infrastructure.

Overview​

Sophos’ Counter Threat Unit (CTU) traced multiple WantToCry ransomware incidents to virtual machines whose NetBIOS hostnames matched static values embedded in ISPsystem VMmanager templates. Two specific hostnames — WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO — repeatedly appeared in ransomware and malware campaigns across years, and the same strings were later discovered on thousands of internet-exposed hosts by internet scanning platforms. Those findings suggest a widespread operational pattern: hosting providers deploy preconfigured Windows images from a VM template repository, producing large numbers of VMs all presenting identical host identifiers and certificates — an attractive, low-cost surface for criminals to rent, abuse, and hide their activity among legitimate customers.
This article explains the technical mechanics of the problem, examines the actors and hosting dynamics Sophos identified, analyzes the defensive and policy implications for administrators and hosting providers, and provides a tactical roadmap for detection, mitigation, and policy change.

---

Background: how VM templates became shared fingerprints​

The VMmanager image problem in plain terms​

Virtualization control panels such as ISPsystem VMmanager simplify hosting operations by providing ready-made OS images (templates) and scripted deployment flows. Sophos’ CTU discovered that many of the Windows templates distributed in VMmanager’s public repository contained hard-coded hostnames, certificate subjects, and system identifiers that are not randomized at provisioning. When a customer deploys a Windows VM from one of these templates under default conditions, the guest ends up reporting a static NetBIOS name (for example, WIN-J9D866ESIJ2), creating thousands of machines that appear to share the same identity from the network perspective. CTU validated this by provisioning test VMs and reproducing the behavior.

Why identical hostnames matter to defenders and investigators​

• False-positive linkage: Shared hostnames and certificate subjects can make unrelated incidents look connected, misleading threat investigators into over-attributing activity to one actor.
• Operational camouflage: Cybercriminals renting VMs from abuse-tolerant providers inherit the “cover” of thousands of legitimate-looking VMs that exhibit similar service fingerprints (RDP exposed, same hostnames), reducing the risk that one bad VM stands out uniquely in scans.
• Scalability for abuse: Because VM templates are inexpensive and easy to deploy, malicious operators can spin up large fleets quickly for payload staging, RDP-enabled access, or C2 infrastructure.

These dynamics turned up in Sophos’ telemetry: the same static hostnames were found in incidents involving WantToCry, LockBit, Qilin, BlackCat (ALPHV), commodity RATs, and infostealers. That overlap is not incontrovertible proof of a single actor reusing infrastructure — the template reuse hypothesis provides a simpler, evidence-backed explanation for the repeated hostname sightings.

---

The scale of the phenomenon​

Shodan scans and concentration​

Sophos’ CTU and third-party scans (Shodan) revealed huge counts of internet-exposed hosts advertising the same static names. As of a December 19, 2025 snapshot reported by CTU, there were:

• 3,645 live hosts reporting WIN-J9D866ESIJ2 (predominantly Russia).
• 7,937 live hosts reporting WIN-LIVFRVQFMKO, including some in Iran, Russia, CIS, Europe, and the U.S.

Shodan’s scanning shows concentrations across a handful of hosting providers rather than uniformly distributed across the hosting market — a sign that prebuilt templates were being deployed en masse via certain control panels and providers. Sophos’ CTU connected the most prevalent hosting providers for these names to a small set of abuse-tolerant or sanction-implicated operators, including providers named in reporting such as Stark Industries Solutions Ltd and First Server Limited. Those providers appeared frequently in the host counts and tracked activity associated with criminal and state-aligned operations.

Top hostnames and OS variants​

The CTU mapped dozens of template-derived hostnames. The four most prevalent hostnames (including the two Sophos highlighted strings) accounted for over 95% of internet-exposed ISPsystem VMs observed. The most common templates were KMS-enabled Windows Server variants — a practical choice for criminals because they run without individual activation for a 180‑day grace period. This combination of cheap licensing circumvention, turnkey image deployment and low-cost hosting contributes directly to the scale of abuse.

---

Where abuse and legitimate hosting intersect​

Bulletproof hosting, marketplaces, and RDP shops​

CTU researchers found that many ISPsystem-derived VMs are advertised or resold through underground services and bulletproof hosting (BPH) providers. These services explicitly tolerate illegal activity — ransomware C2, phishing, malware staging — and often supply RDP credentials for a fee. Advertising for such services surfaced alongside datasets of ISPsystem hostnames, and brands like MasterRDP / rdp.monster were shown to operate on infrastructure built from these templates. The result: an entire rental ecosystem for disposable, template-derived VMs that combine low cost with abuse resilience.

Hosting provider risk profile​

A small number of hosting providers accounted for the majority of observed ISPsystem hostnames. Sophos CTU and other researchers reported that at least two providers with high counts, notably Stark Industries Solutions Ltd and First Server Limited, were linked by regulatory or third-party reporting to state-aligned activity, disinformation campaigns, or sanctioned networks. In May 2025 the European Council issued restrictive measures targeting Stark Industries Solutions Ltd for enabling state-aligned operations, and UK sanctions targeted entities connected to First Server Limited’s associated campaigns. The concentration of these static-hostname VMs inside a small set of providers increases the risk that abuse will cluster and survive takedown attempts.

---

Technical evidence: how CTU validated the template-origin hypothesis​

Sophos CTU used a three-pronged validation:

• Customer incident telemetry: Multiple WantToCry incidents contained the same static NetBIOS hostnames and identical, self-signed certificate subjects. Those hostnames had an ongoing presence in Sophos detection telemetry.
• Controlled provisioning: CTU ordered a virtual server from a provider known to use VMmanager and deployed a Windows VM from the control panel. The test VM booted with the static hostname WIN-J9D866ESIJ2, matching the internet-observed pattern.
• Template analysis: CTU unpacked the VMmanager public repository and inspected the Windows Server and desktop templates (Windows Server 2012 R2 through Windows Server 2025, plus Windows 10/11 variants). The images and deployment scripts contained embedded hostnames and identifiers that were not randomized during provisioning. That embedded-data design defect is the technical root cause.

This kind of provisioning-time determinism in templates is a classic operational convenience that becomes a security liability when templates are shared publicly and deployed unattended at scale.

---

Attribution caveats and why “one actor” is the wrong headline​

It would be tempting — and sensational — to assert that every mention of a static hostname represents the same criminal group reusing servers across multiple campaigns. That conclusion is not supported by the CTU’s analysis. The more probable explanation is architectural: thousands of VMs were deployed from the same templates by multiple customers (legitimate and malicious) and by BPH operators who then rented access to third parties. This explains how the same hostname can appear across unrelated campaigns (LockBit, Conti-era chatter, Ursnif campaigns, FortiClient EMS exploit chains) without requiring a single actor to own them all. Careful attribution therefore demands additional telemetry — IP ownership, login artifacts, containerized payloads, and unique toolsets — beyond a matching NetBIOS name. Sophos explicitly cautioned against over-attribution and demonstrated how template reuse can produce deceptive linkage.

---

Notable incident links found in telemetry​

• The two Sophos-flagged hostnames were observed in multiple malware campaigns: WantToCry, LockBit, Qilin, BlackCat (ALPHV), and NetSupport RAT.
• Historical chat logs from February 2022 (the “ContiLeaks”) showed a user identified as “Bentley” (linked to Maksim Galochkin, later sanctioned) logging in from a device named WIN-LIVFRVQFMKO to private Jabber chats tied to Conti/TrickBot clusters — a high-profile datapoint that pre-dates the CTU’s template analysis. While this link is real, it does not prove continuous control of the hostname by a single operator.
• Independent researchers tied the same hostname to an Ursnif campaign (2023) and to exploitation of a FortiClient EMS vulnerability (reported by Kaspersky in 2024). Again, those incidents are compatible with the template-reuse model.

---

Risks and practical implications for defenders​

Why this matters for enterprise security​

• Investigation friction: Incident responders who rely on superficial artifact matching (hostname, certificate subject) will over-link incidents, waste investigative cycles, and may misattribute victims or attackers.
• Hijacked infrastructure: RDP-exposed VMs provisioned from these templates are a low-cost, high-reward target for credential stuffing, brute-force, and initial-access operations. Hosting providers with lax abuse response become de facto infrastructure suppliers for ransomware groups.
• Supply-chain hazard in hosting: Organizations that accept externally-provided VM images or import marketplace OS images into internal catalogs risk inheriting badly configured images with static artifacts, backdoors, or misconfigurations. Similar supply-chain risks have been observed in other virtualization stacks and orchestration tooling.

Attack surface to watch​

• Internet-facing RDP (TCP/3389) servers that report template hostnames.
• Self-signed or reused certificate subjects presented by VMs.
• Hosting providers that appear in multiple abuse telemetry feeds or that resist takedown requests.
• Underground marketplaces advertising VPS / RDP services with template hostnames or explicit bulletproof claims.

---

Detection and mitigation playbook​

Below are concrete, prioritized steps security teams, hosting providers, and registrars can take. These are practical, tactical, and operational.

For enterprise defenders and MSSPs​

• Inventory and identify:
• Query internal and external asset inventories for NetBIOS hostnames that match known ISPsystem template strings (for example, WIN-J9D866ESIJ2, WIN-LIVFRVQFMKO). Prioritize internet-exposed assets.
• Harden and block:
• Block inbound RDP at the perimeter for non-essential hosts. Use VPN- or jump-host-based access with MFA for any remote desktop access.
• Hunting and telemetry:
• Hunt for lateral movement originating from hosts with template hostnames, unusual outbound traffic to known BPH infrastructure, or RDP sessions initiated from unexpected geolocations. Leverage EDR to capture process and network telemetry.
• Containment checklist:
• If a suspicious template-named host is found inside your estate, isolate it, collect volatile artifacts (memory, session logs), and treat it as compromised until proven otherwise.
• Image hygiene:
• Do not import unverified marketplace or vendor images into production. Rebuild golden images from known-good sources, sanitize templates to ensure hostnames and cert subjects are randomized at provisioning.

For hosting providers and platforms (VMmanager users)​

• Audit template repositories to remove or parameterize hard-coded hostnames, certificates, and identifiers. Ensure the provisioning workflow generates unique hostnames and rotates self-signed cert subjects.
• Implement abuse-resilient customer verification, accelerate abuse report handling, and publish transparency reports about takedown actions. Hosts that advertise BPH or tolerate repeated abuse should be subject to stronger enforcement and, where applicable, third-party sanctions.
• Harden control panels: require customers to supply unique hostnames at deployment, and default to randomized machine identifiers if none are provided. Validate that deployment scripts do not leak static identifiers.

For CERTs, law enforcement, and policy makers​

• Encourage hosting marketplaces and control-panel vendors to make template hygiene a compliance requirement in hosting standards. Where providers are publicly linked to state-aligned abuses or sanctioned activities, publish clear indicators and remediation guidance.
• Support investigations with scan-derived telemetry (Shodan, Censys) to triage and prioritize takedown targets without conflating template reuse with single-actor identity. Use ownership, account logins, and cross-checked blacklists to narrow investigative focus.

---

Strengths and weaknesses of Sophos’ findings​

Strengths​

• Empirical validation: CTU didn’t stop at correlation — they provisioned test VMs and inspected template code, establishing a clear causal link between template content and observed network fingerprints. That controlled test is strong evidence for the template-reuse hypothesis.
• Operational context: Sophos mapped incidents across years and malware families, showing that the template-hostname phenomenon intersects many threat clusters — not just a one-off campaign. This breadth makes the issue a systemic risk rather than an isolated operational hygiene problem.

Caveats and limitations​

• Attribution ambiguity: Hostname reuse does not equal actor continuity. Sophos correctly cautions against simplistic attribution based on shared NetBIOS names alone. Robust attribution requires account-level logins, unique malware toolset fingerprints, or financial trail analysis.
• Dynamic exposure: The counts reported (e.g., thousands of hosts) were accurate for the snapshot date (December 19, 2025). The internet’s exposed surface changes quickly; defenders and researchers must treat those numbers as transient and re-scan for current context. Where possible, include scan timestamps in reporting and triage.

---

Longer-term recommendations and policy angles​

• Host platform vendors (including ISPsystem and others) should adopt a “secure-by-default” posture for images: unique hostnames, ephemeral self-signed certs or no certs, and mandatory customer-supplied identifiers upon provisioning.
• Industry-standard marketplaces and image repositories should publish provenance metadata for each image, including builder, date, and a cryptographic hash. Buyers and hosting panels can then verify and refuse images that lack provenance.
• Regulators and sanction authorities should continue to focus on abuse-tolerant providers that facilitate large-scale criminal infrastructure; transparency reports and joint takedown processes are useful tools. At the same time, care must be taken to avoid over-broad enforcement that punishes legitimate providers using the same control panels.

---

Quick wins for sysadmins (30–90 day checklist)​

• Run enterprise-wide scans for known ISPsystem template hostnames and isolate any internet-exposed instances.
• Enforce RDP access via jump hosts and MFA; block direct RDP at perimeter for non-essential assets.
• Rebuild any VM created from untrusted marketplace images; ensure new golden images are patched and randomized.
• Harden VM provisioning pipelines: parameterize hostnames, remove embedded secrets, and ensure certificates are provisioned per-customer.
• Share indicators (without over-attribution) with sector ISACs and upstream hosting partners to coordinate takedown of clearly malicious accounts.

---

Final analysis — balancing platform convenience and operational risk​

The Sophos CTU investigation illuminates a fundamental tension in modern hosting: convenience and automation are crucial to scale, but when templates and automation embed static identifiers, they enable a scale of abuse that undermines both security and attribution. The discovery that thousands of internet-facing VMs present identical NetBIOS names — and that those VMs are associated with ransomware, info-stealing campaigns, and bulletproof hosting marketplaces — is a wake-up call for hosting platforms, enterprise defenders, and policy makers.
For defenders, the practical takeaway is simple: treat template-derived artifacts as low-fidelity linkage signals, not conclusive evidence of actor identity; hunt where the telemetry is richest (login records, unique malware artifacts, control-plane account ownership); and harden provisioning pipelines to eliminate deterministic identifiers. For hosting vendors and platform vendors, the lesson is also clear: secure defaults and randomized provisioning are not optional conveniences — they are essential controls that reduce your platform’s attractiveness to criminals and decrease your legal and reputational risk.
Sophos’ work demonstrates that solving modern cybercrime requires combining forensic telemetry, active testing, and systems-level fixes in the tools vendors ship. Until image hygiene becomes universal, expect template-derived hostnames and certificates to remain a recurring source of noise for defenders — and, unfortunately, a recurring convenience for criminals.
Conclusion: criminal use of virtual machine infrastructure is not caused by a single poor decision; it is the emergent property of legitimate convenience (prebuilt images, KMS-enabled templates), low-cost hosting, and an underground market willing to monetize abuse-tolerant infrastructure. Fixing it will require coordinated action across vendors, hosting providers, incident responders, and policy-makers — and an immediate operational focus on inventory, image hygiene, and RDP hardening at the enterprise level.

---

Source: Sophos Malicious use of virtual machine infrastructure