Home / News

Microsoft, Fortra, and Health-ISAC Take Legal Action Against the Abuse of Cobalt Strike to Combat Ransomware Attacks

Microsoft data showing the worldwide distribution of computers infected with cracked versions of Cobalt Strike malware. Image: Microsoft

A group of companies, including Microsoft, have collaborated to launch a major action to disrupt the use of cracked, legacy copies of the security tool Cobalt Strike which cybercriminals have abused to deploy ransomware.

By using licensing agreements and copyright laws, Microsoft, Fortra, and Health-ISAC have been granted legal action by the U.S. District Court for the Eastern District of New York to take down malicious infrastructure used by cybercriminals. The announcement by Microsoft noted that this action focuses solely on disrupting cracked, legacy copies of Cobalt Strike and compromised Microsoft software. It also includes copyright claims against the malicious use of Microsoft and Fortra’s software code which are altered and abused for harm.

First developed in 2012, Cobalt Strike was one of the first penetration testing tools to become widely available. Over the past ten years, it has become increasingly advanced, allowing users to carry out reconnaissance and send phishing emails, as well as dropping additional malware on infected systems. According to some reports, there was a 161% rise in usage of the tool by threat actors between 2019 and 2020. Conti, a criminal gang, was so impressed by the tool that they paid a legitimate company $30,000 to acquire it without detection, as reported last year by cybersecurity journalist Brian Krebs.

Severity and impact: Errol Weiss, the Chief Security Officer of Health-ISAC, stated that six healthcare organizations in the U.S. that had been victims of ransomware attack, had previously been infected with Cobalt Strike. He highlighted the severity that ransomware attacks can cause, saying: “It can lead to entire electronic health records going offline, meaning hospitals can no longer accept patients, and have to divert them elsewhere.” In October, the Department of Health and Human Services reported an increase in Cobalt Strike infections and warned healthcare organizations, stating that it is not only ransomware hackers utilizing the tool but nation-state threat actors as well. Microsoft identified government-backed groups from Russia, China, Vietnam and Iran as using stolen or unlicensed copies of Cobalt Strike.

The big picture: While Microsoft and Fortra’s efforts are commendable, they are limited to disrupting malicious infrastructure and removing cracked and compromised software. They cannot completely prevent ransomware attacks, but they can help reduce the impact of these attacks. The collaboration among Microsoft, Fortra, and Health-ISAC, along with the Federal agencies, is a positive step towards tackling the ransomware menace.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC