Microsoft and a group of cybersecurity firms received help from the courts with the massive takedown Thursday of a notorious hacking tool that had been co-opted by cybercriminals to target hospitals and healthcare systems.
Joining forces with cybersecurity firm Fortra and the Health Information Sharing and Analysis Center (H-ISAC), the firms applied for and received a court order designed to remove bootleg versions of Fortra’s Cobalt Strike software. Last Friday, the U.S. District Court for the Eastern District of New York awarded the court order to the organizations, enabling them to seize domain names where malicious actors were storing the “cracked” versions of the software.
For years, a malicious version of the tool — initially designed to enable companies to check their cyber defenses — has been manipulated by bad actors launching ransomware attacks on unwitting victims.
Ransomware families associated with the cracked copies of Cobalt Strike “have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world,” according to Microsoft, costing hospital systems “millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments.”
As hospitals grappled with the coronavirus pandemic across the U.S., cybercriminals ramped up crippling cyber attacks designed to lock down computer networks containing patient data in exchange for hefty ransoms. Analysis conducted by the Cybersecurity and Infrastructure Security Agency (CISA) found such attacks posed long-term negative impacts on hospitals, creating more ambulance diversions and increased mortality.
Older, illegal copies of the Cobalt Strike software — often referred to as “cracked” versions — have been abused by criminals in a series of high profile attacks, including those waged against the government of Costa Rica and the Irish Health Service Executive, according to Microsoft.
At least two infamous Russian-speaking ransomware gangs — Conti and LockBit — are listed among the 16 defendants, according to a court order obtained by CBS News.
“While the exact identities of those conducting the criminal operations are currently unknown, we have detected malicious infrastructure across the globe, including in China, the United States and Russia,” Microsoft stated in their announcement. “In addition to financially motivated cybercriminals, we have observed threat actors acting in the interests of foreign governments, including from Russia, China, Vietnam and Iran, using cracked copies.”
“We are also going to do what we call ‘sinkholing,’ which means redirecting those domains to Microsoft so that we can identify any victims. We’ll work with others around the world to help remediate those victims,” said Amy Hogan-Burney, general manager and associate general counsel for cybersecurity policy and protection at Microsoft.
Friday’s legal move marks rare action by a tech leader to target malicious hackers’ tools and tactics with a court authorized order. Spearheaded by Microsoft’s 35-person Digital Crime Unit, researchers began devising the legal strategy more than one year ago in conjunction with Fortra and H-ISAC.
Microsoft has previously tapped civil orders to seize domains and IP addresses associated with specific malware, but Friday’s court order marks the first time the tech leader has sought to take down a malicious hacking tool on this scale.
“Some of the legal claims are similar to actions we’ve done in the past, but the scope is much bigger than what we’ve done,” said Hogan-Burey.
Microsoft has already begun digging into hacking tools it believes cybercriminals will switch to after the Cobalt Strike crackdown, according to Hogan-Burney said. And although Friday’s legal action will not stop cybercriminals from exploiting the cracked software outright, Hogan-Burney calls it an important first step.
Microsoft and Fortra obtained a temporary restraining order against those violating the copyright of their programs to permit quicker shutdown of malicious versions of the software. But Friday’s court order also allows Microsoft, Fortra and the H-ISAC to carry out future takedowns as criminals develop new infrastructure.
“[This court order] allows us to keep doing it,” Hogan-Burney added. “After we execute the temporary restraining order today, we are going to seek a permanent injunction because we believe this activity will continue by the cybercriminals. They will look to move hosting [sites] for the cracked versions of Cobalt Strike because it is an effective tool for them. And we will continue to chase them.”