Skip to Content

Microsoft, hospital group use court order to disrupt ransomware attacks aimed at health sector

By Sean Lyngaas, CNN

Microsoft used a federal court order to try to cut off cybercriminals’ access to a hacking tool that has been used in nearly 70 ransomware attacks on health organizations in more than 19 countries, the tech giant said Thursday.

It’s one of the biggest moves yet by tech firms and hospitals to combat ransomware attacks that have hobbled US health care providers for years by forcing ambulances to be diverted or chemotherapy appointments to be canceled.

The court order from the Eastern District of New York allows Microsoft to seize internet infrastructure that predominantly Russian-speaking hackers were using to communicate with infected computer networks in hospitals and other health care organizations in the US and around the world.

In addition to Microsoft, the Health Information Sharing and Analysis Center, or H-ISAC, a cyberthreat-sharing group for big US health care providers, and US software firm Fortra sought the court order.

As the coronavirus pandemic strained health care systems around the US, cybercriminals continued to opportunistically lock up the computer networks of hospitals and demand a ransom.

An apparent cyberattack in February forced Tallahassee Memorial HealthCare, which operates a 772-bed hospital in Florida, to send some emergency patients to other facilities.

Many hospitals “end up in (the hackers’) crosshairs because they are underfunded and don’t have appropriate security controls in place,” said Errol Weiss, H-ISAC’s chief security officer.

Weiss told CNN that he believes many hospitals are quietly paying ransoms to hackers because the hospitals “are supporting life-critical functions and they have to get back into operation as soon as possible.”

Fortra sells Cobalt Strike, a type of software that organizations use to test their cyberdefenses but that cybercriminals and state-backed hackers have often hijacked and used in their own hacking operations. The court order allows Microsoft, whose software was also targeted in the attacks, to cut off communication between the hackers and the bootleg version of Cobalt Strike they had used to gain a foothold into victim networks.

The court order, which CNN has reviewed, names at least two notorious Russian-speaking ransomware gangs — known as Conti and LockBit — as using the altered Cobalt Strike software.

A 2021 ransomware attack from Conti on Ireland’s multibillion-dollar public health system disrupted a maternity ward in Dublin. Conti used the cracked Cobalt Strike software in that hack, according to Microsoft.

If they aren’t restrained by the court order, the hacking groups could cause “immediate and irreparable harm” from continued use of the stolen hacking tool, the court order says.

The court order won’t kill off the malicious use of the software; crooks and spies have abused Cobalt Strike for years and will likely look for new ways to do so.

But Amy Hogan-Burney, Microsoft’s associate general counsel for cybersecurity policy and protection, said that Microsoft will use the information seized from the hackers to go after other infrastructure they use.

“We’re going to continue to identify domains and IPs (internet protocol addresses) around the world and work to seize those as soon as possible,” Hogan-Burney told CNN.

The-CNN-Wire
™ & © 2023 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.

Article Topic Follows: CNN - US Politics

Jump to comments ↓

Author Profile Photo

CNN Newsource

BE PART OF THE CONVERSATION

KIFI Local News 8 is committed to providing a forum for civil and constructive conversation.

Please keep your comments respectful and relevant. You can review our Community Guidelines by clicking here

If you would like to share a story idea, please submit it here.

Skip to content