Attackers using the WantToCry ransomware appear to be using only two computers. Nothing could be further from the truth: research shows that the VMmanager tool is being used for hosting by legitimate suppliers, but by cyber attackers. Several cybercriminal groups are using this form of camouflage, according to Sophos’ Counter Threat Unit Research Team.
The two hostnames, WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO, appear to be quite common. Sophos researchers discovered that they occur most frequently in Russia, followed by the Netherlands and Germany, respectively. The providers are “bulletproof,” meaning they ignore claims of illegal activity on their servers and do not ask their users about the purposes of their IT infrastructure. One of the most popular is Zomro, a company that appears to have a branch in the Dutch town of Enschede but only provides customer contact in English or Ukrainian on its own website. Stark Industries Solutions Limited is another notorious cloud player. It was founded two weeks before Russia invaded Ukraine in February 2022. Sophos points out that First Server Limited also has links to Russian state hackers.
According to Aiden Sinnott, Principal Threat Researcher at Sophos, cybercriminals are opting for European hosting hubs in countries where cybercriminal activity is seemingly no more obvious than elsewhere. Sinnott argues that the Netherlands and Germany, with AMS-IX and DE-CIX respectively, are hotbeds for criminal activity as important internet hubs.
Free trial
The two most popular hostnames for online Windows systems use a version of the OS that can run free for 180 days. According to Sophos, they use VMmanager, a management tool from the legitimate ISPsystem. Four hostnames, including the two from WantToCry, account for 95 percent of all ISPsystem VMs. Sophos observed activity from several notorious cybercriminal groups, such as LockBit, Conti, Qilin, WantToCry, and BlackCat/ALPHV. It should be noted that these collectives overlap, so it is no surprise that the methodology is similar.
It stands to reason that the hackers themselves only use the hosting providers indirectly. Even though they are bulletproof, it remains convenient for cybercriminals to hide behind multiple intermediaries. In this case, MasterRDP, also known as rdp.monster, acts as the provider. The VMs offered on dark web forums appear to be controlled directly by this party. However, Sophos believes that MasterRDP probably leases the ISPsystem VMs for its own purposes.
Do not trust legitimate tools
Cybercriminals logically resort to any means that can help them. It should come as no surprise that they use legitimate tools. However, this is problematic for tools that are particularly popular in cyberattacks, as it is obvious for IT administrators to block this infrastructure, even with otherwise liberal policies regarding external internet connections.
For cyber defenders, the large-scale use of the same hostnames is a small advantage. A connection from these four specific hostnames does not necessarily indicate suspicious activity, but it correlates strongly with the most notorious and successful cybercriminal collectives. A log containing one of these hostnames could therefore be an indication of a compromise.