The U.S. District Court for the Eastern District of New York issued a court order on March 31 allowing Microsoft, Fortra and the Health Information Sharing & Analysis Center to remove illegal copies of Cobalt Strike so they can no longer be used by ransomware-as-a-service operations, such as Conti and LockBit.

WHY IT MATTERS

Legacy copies of Fortra's Cobalt Strike, as well as Microsoft software, have been abused by cybercriminals in their efforts to distribute malware, including ransomware, according to Microsoft's Digital Crimes Unit.

But with the court order, the companies will disrupt the cybercriminals' malicious infrastructure by working with relevant internet service providers and computer emergency readiness teams to take it offline and destroy connection to their victims' infected computers.

"Disrupting cracked legacy copies of Cobalt Strike will significantly hinder the monetization of these illegal copies and slow their use in cyberattacks, forcing criminals to re-evaluate and change their tactics," said Amy Hogan-Burney, general manager of DCU, yesterday in her Microsoft blog post.

The "cracked" copies of Cobalt Strike have been used to launch destructive attacks, such as those against the Government of Costa Rica and the Irish Health Service Executive, she noted.

Microsoft software development kits and APIs have also been abused in malware coding and the distribution infrastructure cybercriminals use to target and mislead victims, according to the story.

The investigation for the legal case included detection, analysis, telemetry and reverse engineering, with additional data and insights from a global network of partners, including H-ISAC and Fortra's and Microsoft's threat intelligence teams. 

The partners also collaborated with the FBI's Cyber Division, National Cyber Investigative Joint Task Force and Europol’s European Cybercrime Centre. The investigation uncovered malicious infrastructure in the United States, China and Russia. 

In addition to ransomware gangs, "we have observed threat actors acting in the interests of foreign governments, including from Russia, China, Vietnam and Iran, using cracked copies," Hogan-Burney said.

The case also included copyright claims against the malicious use of Microsoft and Fortra’s software code.

THE LARGER TREND

Attacks using abused copies of Fortra's and Microsoft's products have interrupted critical patient care services and cost hospital systems millions of dollars in recovery and repair.

In 2021, the FBI warned Conti ransomware attacks were targeting U.S. healthcare organizations, gaining access to networks through weaponized malicious email links, attachments or stolen remote-desktop-protocol credentials.

"Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware," the FBI said.

In February, LockBit reportedly prioritized data exfiltration exploits and launched LockBit Green, using an algorithm based on Conti's source code. 

ON THE RECORD

"The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world," said Hogan-Burney in her post yesterday.

"As we have since 2008, Microsoft’s DCU will continue its efforts to stop the spread of malware by filing civil litigation to protect customers in the large number of countries around the world where these laws are in place."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Darren Mann, Kathryn Kuttler and Dr. Peter Haug will offer more detail during the HIMSS23 session "Improved Patient Care Enabled by Real-Time Interoperable Clinical Decision Support." It is schedule for Thursday, April 20 at 4 p.m. - 5 p.m. CT at the South Building, Level 1, room S105 C.