Cybercriminals crack Microsoft software

Microsoft’s Digital Crimes Unit (DCU) is partnering with cybersecurity company Fortra™ and Health Information and Analysis Center (Health-ISAC) to combat cybercriminal activity related to “cracked” versions of Cobalt Strike and Microsoft software.  

“The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world,” wrote Amy Hogan-Burney, manager of Microsoft’s Digital Crimes Unit, in an announcement.   

“These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few.” 

Cobalt Strike is a tool used by organizations all over the world to simulate cyberattacks so they can build stronger and better cyber defense plans. Cybercriminals have taken and altered older versions of the software, known as “cracked” copies, to launch attacks on unsuspecting victims while evading detection.  

“We have observed ransomware operators using cracked copies of Cobalt Strike and abused Microsoft software to deploy Conti, LockBit, and other ransomware as part of the ransomware as a service business model,” Microsoft continued.  

On March 31, 20023, the U.S. District Court for the Eastern District of New York issued a court order that empowers Microsoft, Fortra, and Health-ISAC to combat cybercriminals by disrupting the “malicious infrastructure used by criminals to facilitate their attacks.”. 

Microsoft, Forta, and Health-ISAC plan to protect targets by alerting affected internet service providers and computer emergency readiness teams (CERTs) to help take infrastructure offline, which blocks the cybercriminals’ access to their target.  

Unlike previous cyber missions from DCU, they are working with Fortra to delete “cracked” copies of Cobalt Strike to prevent its exploitation in the future.  

Cybercriminals have been abusing Cobalt Strike to launch massive cyberattacks around the globe, including against the government of Costa Rica and Ireland’s Department of Health, for over a decade. In November of 2021, the U.S. Department of Health and Human Services issued a warning to U.S. healthcare organizations regarding the potential abuse of Cobalt Strike.  

The exact identities of the cybercriminals are not known, but Microsoft notes, “In addition to financially motivated cybercriminals, we have observed threat actors acting in the interests of foreign governments, including from Russia, China, Vietnam and Iran, using cracked copies.” 

As cybercriminals continue to evolve and adapt their tactics, it is clear that the fight against cybercrime will require ongoing innovation and collaboration between the public and private sectors. 

“Microsoft, Fortra and Health-ISAC remain relentless in our efforts to improve the security of the ecosystem, and we are collaborating with the FBI Cyber Division, National Cyber Investigative Joint Task Force (NCIJTF) and Europol’s European Cybercrime Centre (EC3) on this case,” Microsoft continues.  

“While this action will impact the criminals’ immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done. Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike.”