A group of companies, including Microsoft, have collaborated to launch a major action to disrupt the use of cracked, legacy copies of the security tool Cobalt Strike which cybercriminals have abused to deploy ransomware.

By using licensing agreements and copyright laws, Microsoft, Fortra, and Health-ISAC have been granted legal action by the U.S. District Court for the Eastern District of New York to take down malicious infrastructure used by cybercriminals. The announcement by Microsoft noted that this action focuses solely on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software. It also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm.

First developed in 2012, Cobalt Strike was one of the first penetration testing tools to become widely available. Over the past ten years, it has become increasingly advanced, allowing users to carry out reconnaissance and send phishing emails, as well as dropping additional malware on infected systems. According to some reports, there was a 161% rise in usage of the tool by threat actors between 2019 and 2020. Conti, a criminal gang, was so impressed by the tool that they paid a legitimate company $30,000 to acquire it without detection, as reported last year by cybersecurity journalist Brian Krebs.

Severity and impact: Errol Weiss, the Chief Security Officer of Health-ISAC, stated that six healthcare organizations in the U.S. that had been victims of ransomware attack, had previously been infected with Cobalt Strike. He highlighted the severity that ransomware attacks can cause, saying: “It can lead to entire electronic health records going offline, meaning hospitals can no longer accept patients, and have to divert them elsewhere.” In October, the Department of Health and Human Services reported an increase in Cobalt Strike infections and warned healthcare organizations, stating that it is not only ransomware hackers utilizing the tool but nation-state threat actors as well. Microsoft identified government-backed groups from Russia, China, Vietnam and Iran as using stolen or unlicensed copies of Cobalt Strike.

The big picture: While Microsoft and Fortra’s efforts are commendable, they are limited to disrupting malicious infrastructure and removing cracked and compromised software. They cannot completely prevent ransomware attacks, but they can help reduce the impact of these attacks. The collaboration among Microsoft, Fortra, and Health-ISAC, along with the Federal agencies, is a positive step towards tackling the ransomware menace.