Microsoft and Fortra Clamp Down on Cobalt Strike Use for Ransomware Attacks
Microsoft and Fortra are using licensing agreements and copyright laws to thwart ransomware attacks, according to a Thursday Microsoft announcement.
Ransomware attackers have been using cracked older copies of Fortra's Cobalt Strike red-team command and control attack simulation software in actual attacks, hitting institutions like hospitals and government agencies. They've also "abused" Microsoft's application programming interfaces (APIs) for these attacks. Microsoft and Fortra are taking a somewhat different legal approach against ransomware perpetrators by not just reacting to the attacks, but also working to remove the use of the cracked and abused software.
"Instead of disrupting the command and control of a malware family, this time, we are working with Fortra to remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals," Microsoft's announcement noted.
Microsoft's and Fortra's efforts, in conjunction with the Health Information Sharing and Analysis Center (Health-ISAC), has led to a legal action, permitting the takedown of the infrastructure that's used by cybercriminals. A legal action was supported by a U.S. District Court late last month.
Here's what that court granted, according to the announcement:
On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the malicious infrastructure used by criminals to facilitate their attacks. Doing so enables us to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers.
Microsoft, Fortra and Health-ISAC specifically strategized on removing the cracked and compromised software, though, the announcement emphasized.
"Our action focuses solely on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software," it explained.
Software copyright is part of the crackdown strategy, Microsoft stressed.
"Today's action also includes copyright claims against the malicious use of Microsoft and Fortra's software code which are altered and abused for harm," Microsoft added.
Microsoft described Cobalt Strike as "a legitimate and popular post-exploitation tool used for adversary simulation provided by Fortra," and noted that Fortra "practices stringent customer vetting practices" for the users of its software. However, use of the cracked older Cobalt Strike copies appears to be widespread. The announcement included a heatmap showing the distribution, for instance.
On top their copyright legal actions, Microsoft, Fortra and Health-ISAC are "collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol's European Cybercrime Centre (EC3) on this case."
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.