Microsoft, along with Health-ISAC and Fortra, the makers of the Cobalt Strike software, have obtained a court order to disrupt the infrastructure used by cybercriminals operating cracked copies of Cobalt Strike and abusing Microsoft software to deploy ransomware.
The move is meant to prevent ransomware groups and state-affiliated actors from being able to use stolen and cracked copies of Cobalt Strike as part of their operations, something that has become commonplace in recent years. Cobalt Strike is a commercial adversary emulation framework that pen testers and other security teams use in legitimate operations, but cybercriminals also favor it, thanks to its full feature set and capabailities. Many ransomware groups use cracked copies of Cobalt Strike as part of their post-exploitation operations, and the actions by Microsoft, Fortra, and the Health-ISAC are designed to cut the links between the cybercriminals and the infected machines.
Cracked software has been a problem in the cybercrime ecosystem for a long time, and Microsoft and other companies have used copyright claims and other legal means to help address it. But cybercrime groups continue to find ways around the hurdles put in their way.
“These illegal copies are referred to as “cracked” and have been used to launch destructive attacks, such as those against the Government of Costa Rica and the Irish Health Service Executive. Microsoft software development kits and APIs are abused as part of the coding of the malware as well as the criminal malware distribution infrastructure to target and mislead victims,” Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit, said.
“The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few.”
Cobalt Strike has become attractive for cybercrime groups for several reasons, including its versatility and ubiquity. It’s often seen in ransomware intrusions, and MIcrosoft said that its teams have seen cracked copies of Cobalt Strike used by Conti and LockBit ransomware operators, among others.
“Microsoft is also expanding a legal method used successfully to disrupt malware and nation state operations to target the abuse of security tools used by a broad spectrum of cybercriminals. Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics. Today’s action also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm,” Hogan-Burney said.
The court order from the United States District Court for the Eastern District of New York gave Microsoft and its partners the ability to work with ISPs and hosting providers to seize the infrastructure used by cybercrime groups to communicate with compromised machines. It’s a tactic that Microsoft has used many times in the past to disrupt botnets and other malicious operations, including the takedown of dozens of domains used in phishing attacks by the Phosphorus group in 2019 and about 50 domains used by North Korean threat actors in 2020.
“As we have since 2008, Microsoft’s DCU will continue its efforts to stop the spread of malware by filing civil litigation to protect customers in the large number of countries around the world where these laws are in place,” Hogan-Burney said.