Fortra and Microsoft DCU Take Legal Action Against Cybercriminals

Today I’d like to bring you a story on how three companies are working together to take down the bad guys.

Cybersecurity software and services provider Fortra recently partnered with Microsoft’s Digital Crimes Unit (DCU) and the Health Information Sharing and Analysis Center (Health-ISAC), taking technical and legal action to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which has been used by cybercriminals to distribute malware, including ransomware. The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few.

On March 31, 2023, the U.S. District Court for the Eastern District of New York issued a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt the malicious infrastructure used by criminals to facilitate their attacks. Doing so has enabled these three organizations to notify relevant internet service providers (ISPs) and computer emergency readiness teams (CERTs) who assist in taking the infrastructure offline, effectively severing the connection between criminal operators and infected victim computers.

While the exact identities of those conducting the criminal operations are currently unknown, these three companies have detected malicious infrastructure across the globe, including in China, the United States and Russia. In addition to financially motivated cybercriminals, they have observed threat actors acting in the interests of foreign governments, including from Russia, China, Vietnam and Iran, using cracked copies.

Fortra’s Role

The Fortra Cyber Intelligence Team played a critical role in identifying the legitimate versus unauthorized systems as they were observed on the internet and served as the central hub for data collection from other public and private partners that was fed into the legal mechanisms to initiate the takedown processes.  

To date, there has been a decrease in the unauthorized usage of Cobalt Strike overall and what is still being observed is originating more and more from a limited set of countries.

I spoke to Bob Erdman who is the Associate VP, R&D at Fortra about this and he explained to me how this collaboration came about, and that this collaboration between Fortra and Microsoft had benefits beyond taking the actions described above. Specifically the intel the both companies along with Health ISAC gained from working together. One thing that was noted was that the threat actors behind this have moved to places that are difficult to reach for the legal system. Hopefully that changes as the thing with using pirated software is a huge risk due to the fact that threat actors can do anything to the software to get initial access to a company using this software.

I’ve only scratched the surface on this. Thus I encourage you to read more here:

Leave a Reply

%d bloggers like this: