Inside RedVDS - How a single virtual desktop provider fueled worldwide cybercriminal operations
This blog post was updated on January 14, 2026, to provide further analysis and context following an update to the Microsoft Digital Defense Report and the takedown of the cybercriminal service known as RedVDS, which was operated by the Russian cybercriminal group, Lockbit. A criminal-friendly virtual desktop infrastructure (VDI) service called RedVDS has fueled the operations of dozens of ransomware affiliates and other cybercriminal groups worldwide, Microsoft security researchers have discovered.
The service, which provides access to virtual machines (VMs) and servers, was marketed in underground forums as a reliable and anonymous platform for launching attacks, hosting phishing pages, and managing command-and-control (C2) infrastructure. RedVDS advertised itself as a secure and anonymous solution for cybercriminals. However, analysis by Microsoft and our partners revealed that the service was, in fact, operating as a centralized hub for a wide range of illicit activities.
RedVDS emerged on the cybercriminal scene several years ago, gaining popularity due to its low prices, user-friendly interface, and purported anonymity. The service offered virtual machines (VMs) in various locations, allowing cybercriminals to choose servers in countries with lax cybersecurity laws or those that offered greater operational security. RedVDS provided a range of services designed to facilitate cybercriminal activities, including anonymous payment methods (cryptocurrencies), offshore server locations, and a strict no-logs policy. RedVDS infrastructure was observed being used to host command-and-control servers for malware, store stolen data, launch brute-force attacks, and serve as an entry point for ransomware deployments.
Microsoft’s investigation revealed that RedVDS was a critical enabler for numerous cybercriminal groups, acting as a central hub for their operations. Analysis of threat intelligence data showed that several prominent ransomware affiliates, including those associated with LockBit, Conti, and BlackCat (ALPHV), utilized RedVDS infrastructure for various stages of their attacks. The LockBit ransomware group was a significant user of RedVDS. Microsoft observed LockBit affiliates leveraging RedVDS VMs to stage initial access, host Command and control (C2) servers, and facilitate data exfiltration. Beyond LockBit, Microsoft identified connections between RedVDS and other cybercriminal entities, including Conti Ransomware, BlackCat (ALPHV) Ransomware, phishing and financial fraud operations, and Initial Access Brokers (IABs).
Recognizing the significant threat posed by RedVDS, Microsoft, in collaboration with law enforcement agencies and cybersecurity partners worldwide, initiated a coordinated effort to disrupt its operations. This multi-pronged approach included intelligence gathering, partner collaboration, and infrastructure takedown actions such as domain seizures, server disruption, and payment disruption. The coordinated takedown of RedVDS represents a significant blow to the cybercriminal ecosystem. The operation has severely impacted cybercriminal operations, increased operational costs and risks, and protected potential victims. To assist organizations in detecting and defending against potential threats linked to RedVDS, Microsoft has provided a comprehensive list of Indicators of Compromise (IoCs). These IoCs include IP addresses, domain names, and file hashes associated with RedVDS infrastructure and its affiliated cybercriminal groups. Organizations are strongly encouraged to review and implement these IoCs within their security solutions.