In a move that represents a growing offensive against cybercriminals, Microsoft, cybersecurity firm Fortra and Health Information Sharing and Analysis Center have taken action to disrupt ransomware groups that have been observed attacking healthcare organizations in more than 19 countries.
According to Microsoft, the company’s Digital Crimes Unit (DCU), Fortra and Health Information Sharing and Analysis Center (Health-ISAC) are taking both legal and technical action to disrupt the use of abused copies of Cobalt Strike and Microsoft software, which are favorite tools of ransomware groups.
This represents a new way of disrupting cybercrime, with a greater scope and more complex operation that doesn’t just disrupt the command and control infrastructure of malicious actors. Instead, Microsoft and Fortra are working to remove illegal, legacy copies of Cobalt Strike so they can no longer be used for malicious purposes.
Cobalt Strike, a brand owned by Fortra, is a legitimate and popular post-exploitation tool used for simulated attacks. However, older versions of the software have been abused and altered by hacking groups to launch attacks, including ransomware campaigns against the Government of Costa Rica and the Irish Health Service Executive.
Microsoft says the company’s software development kits and APIs are also abused as part of the coding of the malware as well as the criminal malware distribution infrastructure used to target and mislead the victims.
Amy Hogan-Burney, general manager of Microsoft’s DCU, writes in a blog that the ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware families impacting healthcare organizations.
The activity comes after Microsoft, Fortra and Health-ISAC obtained a court order form the U.S. District Court of the Eastern District of New York to disrupt the infrastructure, which includes notifying relevant internet service providers and computer emergency readiness teams to help severe the connection between operators and infected victim computers.
Investigation efforts between the companies included detection, analysis, telemetry and reverse engineering, with additional data and insights from partners to help strengthen the legal case. The actions focused only on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software, Hogan-Burney writes.
The company is also expanding a legal method used to disrupt malware and nation state operations to target the abuse of security tools used by a broad spectrum of hacking groups, which is hoped to significantly hinder the monetization of those tools and slow their use in attacks. This action is designed to force cybercriminals to change their tactics.
To that end, the action also included copyright claims against the malicious use of Microsoft and Fortra’s software code, which are altered for use by malicious actors.
Fortra is also taking steps to prevent the misuse of its software, including more stringent customer vetting, but criminals have historically stolen older versions of security software to create cracked copies to gain backdoor access into victim devices. Some infamous ransomware groups have been observed doing so, including Conti, LockBit and other groups involved in the ransomware-as-a-service model, according to Hogan-Burney.
However, ransomware groups and cybercriminals are notorious for regrouping and adopting new tactics, and they will likely do so again in this case.
“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts,” Hogan-Burney writes. “Our action is therefore not one and done. Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.”
