Microsoft said it was working closely with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC) to address cybercriminals’ misuse of Cobalt Strike to distribute malware, including ransomware.
To that end, the tech giant’s Digital Crimes Unit (DCU) revealed that they secured a court order in the US to “delete old, illegal copies of Cobalt Strike so that they can no longer be used by cybercriminals.”
While Cobalt Strike, developed and maintained by Fortra (formerly HelpSystems), is a legitimate post-exploit tool used for enemy simulation, illegal cracked versions of the software have been weaponized by threat actors for years.
Ransomware perpetrators, in particular, have taken advantage of Cobalt Strike after gaining initial access to a target environment to escalate privileges, move across networks, and spread file-encrypting malware.
“The family of ransomware associated with or spread by cracked copies of Cobalt Strike has been linked to more than 68 ransomware attacks that affected healthcare organizations in more than 19 countries worldwide,” Amy Hogan-Burney, general manager of DCU, said.
By interfering with the use of older copies of Cobalt Strike and compromised Microsoft software, the goal is to deter attacks and force adversaries to rethink their tactics, the company added.
Redmond further noted the misuse of Cobalt Strike by a group of nation-states whose operations align with Russia, China, Vietnam, and Iran, adding it detected malicious infrastructure hosting Cobalt Strike around the world, including China, the US, and Russia.
The legal action comes months after Google Cloud identified 34 hacked release versions of the Cobalt Strike tool in the wild in an effort to “make it harder for bad guys to abuse.”