Skip to content

Microsoft partners with Fortra and Health-ISAC to fight Cobalt Strike abuse

  • by
  • 2 min read

Microsoft has partnered up with Fortra and the Health Information Sharing and Analysis Center, to get rid of cybercriminals abusing Cobalt Strike, a legitimate post-exploitation tool. The tech giant’s Digital Crimes Unit (DCU) has secured a court order the in the US to remove any illegal or legacy copies of Cobalt Strike to prevent them from falling into the hands of cybercriminals. 

Cobalt Strike was developed by Fortra, who still maintains it today. While the tool was meant to be used for adversary simulation, illegal cracked versions of the program have been abused by hackers for quite some time now. Other than the legal measures, this action also includes copyright claims against the “malicious use of Microsoft and Fortra’s software code which are altered and abused for harm”.

The global spread of victims infected by cracked or illegal Cobalt Strike copies. | Source: Microsoft

The problem is especially bad when it comes to ransomware, as Cobalt Strike can come in handy to escalate privileges and move laterally across a network, both great things if you’re looking to encrypt as many files on as many computers as possible. 

Overall, according to Microsoft DCU general manager Amy Hogan-Burney, ransomware families associated with or deployed using cracked versions of Cobalt Strike have so far been associated with more than 68 ransomware attacks affecting healthcare organisations in over 19 countries. Conti and Lockbit are two of the most popular ransomware families that have used Cobalt Strike, in addition to other ransomware-as-a-service business models. 

So far, there are at least 34 different hacked release versions of Cobalt Strike out in the wild as identified by Google Cloud. The abuse doesn’t stop at just Cobalt Strike either. Microsoft SDKs and APIs are also abused as part of malware coding as well as the criminal malware distribution infrastructure that targets and misleads victims. 

In the News: Twitter’s Shadow Ban vulnerability is now official

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: