Microsoft and Fortra take down malicious Cobalt Strike servers

Microsoft and cybersecurity firm Fortra have partnered up to take down malicious servers associated with the Cobalt Strike tool, which is commonly used by hackers to deploy ransomware attacks. Cobalt Strike is a legitimate penetration testing tool that can be used for legitimate purposes, but it has also been widely abused by cybercriminals in recent years.

The two companies worked together to analyze the command and control infrastructure of Cobalt Strike and identified several malicious servers that were used to launch attacks. These servers were located in countries around the world, including the United States, Canada, Germany, and the Netherlands.

Microsoft and Fortra then worked with law enforcement agencies in these countries to shut down the malicious servers and disrupt the criminal infrastructure. The operation was carried out under the framework of the Microsoft Digital Crimes Unit (DCU), which is responsible for identifying and taking down cybercriminal networks.

Example of an attack flow where attacks leverage Cobalt Strike to deploy Conti, LockBit, and other ransomware as part of the ransomware as a service criminal business model. (Source: Microsoft)
Example of an attack flow where attacks leverage Cobalt Strike to deploy Conti, LockBit, and other ransomware as part of the ransomware as a service criminal business model. (Source: Microsoft)

Why Cobalt Strike is so damaging to organizations

Microsoft summarized the extent of the malicious use of Cobalt Strike:

“The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few.”

Cobalt Strike has become a popular tool for ransomware attacks because it allows hackers to gain control of victim networks and move laterally through them. Attackers have been leveraging Cobalt Strike to deploy Conti, LockBit, and other ransomware as part of the ransomware-as-a-service criminal business model. It becomes very difficult, and expensive, for victims to recover their files without paying a ransom.

In recent years, there has been a surge in ransomware attacks, with many organizations falling victim to these attacks and paying large sums of money to regain access to their data. The takedown of the Cobalt Strike servers is a significant step in the fight against ransomware, as it disrupts the infrastructure used by attackers to launch these attacks.

Microsoft and Fortra have called on organizations to take steps to protect themselves from ransomware attacks, including keeping their software up to date, using multi-factor authentication, and training employees to recognize phishing emails.

The takedown of the Cobalt Strike servers demonstrates the importance of collaboration between the private sector, law enforcement, and government agencies in the fight against cybercrime. The Microsoft DCU has been involved in numerous operations to disrupt cybercriminal networks, and this latest takedown is a reminder of the ongoing need for such efforts.

In November 2022, the Google Cloud Threat Intelligence team also open-sourced 165 YARA rules and a collection of indicators of compromise (IOCs) to help network defenders detect Cobalt Strike components in their networks.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.