Ransomware Hacking Tool Targeted Hospitals Is Taken Down By Microsoft Through Court Order

Cybercriminals have managed to co-opt a notorious hacking tool that had been widely used by hospitals and healthcare systems around the world to target hospitals in their efforts to commit cybercrime, culminating in Microsoft and a large group of cybersecurity firms being helped by the courts with the massive takedown of the tool. 

‍

A court order has been obtained by the firms that applied together with cybersecurity firms Fortra and the Health Information Sharing and Analysis Center (H-ISAC) in order to remove bootleg versions of Fortra's Cobalt Strike software that had been made available to the public. A court order issued by the U.S. District Court for the Eastern District of New York was granted to the organizations last Friday, allowing them to seize the domain names that contained the "cracked" versions of the software from malicious actors.

‍

There have been many reports over the past few years that an exploit developed for this tool has been used by bad actors to launch ransomware attacks on unwitting victims by using a malicious version of the tool originally designed to help companies check their cyber defenses.

‍

It has been reported that more than 68 ransomware attacks have been associated with the cracked copies of Cobalt Strike that have affected healthcare organizations in more than 19 countries around the world as a result of ransomware families associated with cracked versions of the software. The damages suffered by hospital systems include "millions of dollars in recovery and repair costs, as well as interruptions to critical patient care services, such as delayed diagnostic, imaging, and laboratory results, canceling medical procedures, and a delay in chemotherapy treatments". 

‍

While hospitals across the United States battled the Coronavirus pandemic, cybercriminals intensified crippling cyber attacks to lock down computer networks containing patient data in exchange for large ransom payments. According to the Cybersecurity and Infrastructure Security Agency (CISA), such attacks would result in more ambulance diversions and increased mortality over a long period of time, resulting in long-term negative impacts on hospitals. 

‍

There have been several high profile attacks on the government of Costa Rica and the Irish Health Service Executive as a result of older, illegal copies of Cobalt Strike software, sometimes referred to as "cracked" versions, which have been abused by criminals. According to Microsoft, criminals have abused older, illegal copies of Cobalt Strike software.

‍

According to a court order obtained by Trade Algo, at least two infamous Russian language ransomware gangs - Conti and LockBit - are listed as defendants in the trial, according to the complaint.

‍

According to Microsoft, they have detected malicious infrastructure all over the world, including China, the United States, and Russia, but the exact identities of the criminal operations are unknown for now. Our research has shown that in addition to financially motivated cybercriminals, we have also observed threat actors acting for foreign governments, including Russia, China, Vietnam, and Iran, who have used cracked versions of their products in order to promote their foreign interests. 

‍

As part of our efforts to identify any victims of this attack, we will also conduct what we call sinkholing, which involves redirecting the domains to Microsoft for identification purposes. As Amy Hogan-Burney, general manager and associate general counsel at Microsoft, said, "We will work with other organizations around the world to help rectify these incidents."

‍

This was one of the few times when a technology leader took legal action to take on the tools and tactics of malicious hackers through a court-authorized order. Developed by Microsoft's 35-person Digital Crime Unit in collaboration with Fortra and H-ISAC in collaboration with Fortra over a year ago, the legal strategy was first formulated.

‍

A court order issued by the Oregon District Court on Friday marks the first time Microsoft has sought to take down a malicious hacking tool of this magnitude as part of a civil procedure, however the tech leader has used civil orders in the past to seize specific domains and IP addresses associated with specific malware. 

‍

As Hogan-Burey pointed out, there are some of the legal claims that are similar to the actions we have taken in the past, but that the scope of the legal claim is much larger than what we have historically done. 

‍

It has already been reported that Microsoft has begun to examine hacking tools it believes cybercriminals will use after the Cobalt Strike crackdown, as Hogan-Burney explains. However, Hogan-Burney emphasizes that Friday's legal action is not a complete reversal of the crack, but rather an important first step towards preventing cybercriminals from exploiting the cracked software outright.

‍

Fortra and Microsoft obtained a temporary restraining order for the purpose of allowing them to shut down malicious versions of their software more quickly as a result of those violating the copyright of their programs. In addition, the court order also gives Microsoft, Fortra, and the H-ISAC the ability to take down criminal infrastructure as it evolves in the future.

‍

The court order allows Hogan-Burney to keep doing that. We intend to seek a permanent injunction after we implement the temporary restraining order, because we believe cybercriminals will continue to engage in this activity after we execute the temporary restraining order today. In our view, they will continue to pursue the crack versions of Cobalt Strike that have been hosted by them because they see them as an effective tool for them. They will try to shift hosting sites."