In recent cybersecurity research, threat analysts discovered a sophisticated tactic being used by ransomware gangs to evade detection and amplify their reach. According to the article Ransomware gang uses ISPsystem VMs for stealthy payload delivery from Bleeping Computer, attackers have begun abusing legitimate virtual machines (VMs) managed by the infrastructure provider ISPsystem to host malicious payloads and conceal their operations.
This attack method presents a stark warning for business owners about the evolving threat landscape and underscores the limitations of traditional security approaches focused on detection and response.
Ransomware operators are increasingly turning to unconventional methods to hide their malicious activity. In this case, attackers used VMs provisioned through ISPsystem’s VMmanager platform to deliver ransomware payloads. These virtual machines, designed for legitimate use by hosting providers, were identified by security researchers based on identical system names and identifiers within the infrastructure.
What makes this tactic particularly concerning is that these VMs are hosted on real cloud infrastructure. Instead of relying on easily blocked or flagged command and control (C2) servers, ransomware gangs are blending their malicious activity with seemingly legitimate traffic and services. This makes the delivery of payloads far more difficult for traditional security tools to detect.
Sophos researchers observed that multiple ransomware operations, including well-known families such as LockBit, Qilin, Conti, BlackCat/ALPHV, and even info-stealer campaigns like RedLine, have made use of this strategy.
Cruising through legitimate infrastructure allows attackers to evade basic pattern-based defenses and bypass perimeter filters that rely on blacklists or external threat intelligence. This means organizations can be compromised long before any alert is triggered.
Most security strategies today depend on endpoint detection and response (EDR), network monitoring, and manual threat hunting. These tools are designed to spot malicious behavior, notify defenders, and then rely on human teams to contain and remediate incidents. However, modern ransomware tactics, such as using trusted cloud services for payload delivery, are specifically built to evade detection and make traditional defenses less effective.
Even when detection occurs, response times can lag, allowing attackers to establish persistence, move laterally, or deploy encryption routines before defenders can act. The result is often significant operational disruption, financial loss, and reputational damage.
Given the stealthy nature of these emerging threats, it’s clear that businesses need to rethink their security posture. Instead of waiting to detect an attack and then trying to respond, the emphasis needs to shift toward Isolation and Containment — preventing malicious code from ever executing or spreading in the first place.
This is where AppGuard comes in.
AppGuard is a proven endpoint protection solution with over a decade of real-world success preventing advanced threats. Rather than relying on threat signatures, reputation lists, or behavior patterns, AppGuard applies a principle of application isolation that stops unauthorized execution and lateral movement at the source.
Here are key ways AppGuard helps businesses defend against ransomware tactics like the misuse of ISPsystem VMs:
AppGuard isolates unknown or untrusted code from the operating system before it can run. Even if malicious payloads make it onto a system via trusted-looking infrastructure, they cannot execute in a way that compromises business operations.
Instead of triggering alerts that require manual analysis and response, AppGuard automatically contains activity that falls outside normal application behavior. This blocks ransomware from encrypting files or spreading across the network.
Traditional EDR and antivirus tools wait to see harmful indicators before acting. AppGuard removes this reliance by enforcing strict execution controls, stopping threats before they trigger a detection rule.
With a 10-year history of protecting organizations from zero-day exploits and advanced malware, AppGuard has established a record of preventing breaches that would otherwise have required time-consuming and costly incident response.
Ransomware is no longer a problem that strikes only large enterprises. Small and medium-sized businesses are equally at risk, especially as attackers innovate with stealthy techniques that skirt traditional defenses. The misuse of legitimate VM infrastructures for payload delivery, as highlighted in the Bleeping Computer article, is just one example of how rapidly the threat landscape is evolving.
Business owners cannot afford to wait until an alert fires or an incident has already begun. The stakes are too high, and attackers are too agile.
At CHIPS, we understand that relying on “Detect and Respond” strategies leaves businesses exposed to modern threats. It’s time to move toward Isolation and Containment, stopping ransomware and other advanced attacks before they can take hold.
If you are responsible for protecting your organization’s data and systems, now is the moment to act. Talk with us at CHIPS about how AppGuard can strengthen your security posture and prevent incidents like the one described above. Let us help you implement a proactive strategy that keeps your business safe in a world where threat actors are constantly innovating.
Contact us today to learn more about AppGuard and how isolation and containment can be the cornerstone of your cybersecurity defense.
Like this article? Please share it with others!