Your next work computer could be a cybercriminal’s playground

If you’re logging into a Windows server today, there’s a chance it’s sharing a name with machines used in some of the biggest ransomware attacks of the last five years.

SophosLabs analysts traced several WantToCry ransomware incidents in late 2025 to virtual machines that automatically used hostnames like WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO. These names aren’t random, they come from standard Windows templates provisioned by ISPsystem, a legitimate IT infrastructure platform.

That means the same virtual machine names you might see in a corporate environment or small hosting setup have also been spotted in LockBit, Qilin, BlackCat (ALPHV) ransomware attacks, and NetSupport RAT deployments.

The connections go deep: a user named “Bentley” (later identified as Maksim Galochkin and sanctioned by the U.S. and UK) once used WIN-LIVFRVQFMKO to log into private chats with members of Conti and TrickBot ransomware groups. The same hostname showed up in a 2023 Ursnif campaign in Italy and in a 2024 FortiClient EMS exploit reported by Kaspersky.

It’s easy to assume each hostname belongs to one hacker, but Shodan scans from December 2025 reveal thousands of internet-facing devices with these same names: 3,645 hosts for WIN-J9D866ESIJ2 and 7,937 for WIN-LIVFRVQFMKO, mostly in Russia, with some in the CIS, Europe, the U.S., and a few in Iran.

Most of these machines are hosted by providers like Stark Industries Solutions Ltd, Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT. Stark Industries Solutions Ltd and First Server Limited have links to Russian state-sponsored operations and sanctioned cybercriminal campaigns, but the rest are legitimate hosting services.

Researchers confirmed that these repeated hostnames come from prebuilt Windows Server images in ISPsystem VMmanager, which assigns the same hostname and certificate to each deployment.

That means unrelated cybercriminals, or even regular users, can end up with identical hostnames. CTU researchers even replicated it themselves on play2go.cloud and got WIN-J9D866ESIJ2 automatically.

The widespread reuse of these templates has made them a magnet for bulletproof hosting services like MasterRDP, which openly advertise VPS and RDP access to threat actors for ransomware, malware delivery, and data theft campaigns.

ISPsystem VMmanager itself is legitimate, but its turnkey deployments have become a quiet playground for cybercrime, showing just how small mistakes in automation can expose thousands of machines to abuse.

In short: the software you rely on every day may be doubling as a stage for global cybercrime and that risk is baked in before you even log in.