Microsoft Disrupts Major Malware Signing Service

Microsoft has dismantled a major code-signing service that helped ransomware gangs disguise their malware by making it appear legitimate and trustworthy.

Microsoft has disrupted the infrastructure of a significant malware code-signing service used by ransomware gangs and other cybercriminals. The service allowed attackers to make their malicious programs harder to detect on Windows by signing them with fraudulently obtained digital certificates. The operators used stolen identities and impersonated legitimate companies to acquire over 1,000 code-signing certificates. In response, Microsoft seized the group's website, signspace[.]cloud, revoked the abused certificates issued through its Artifact Signing service, and took hundreds of attacker-controlled virtual machines offline on its Azure platform.

This action is important because code-signing certificates are a fundamental component of software trust, verifying a program's origin and integrity. By abusing this system, threat actors could bypass security measures designed to block untrusted code. The incident highlights a critical supply chain risk, where trusted platforms like Azure and official signing services are exploited to distribute malware. The disruption directly impacts the operations of prominent ransomware groups, including INC, Qilin, Akira, and Rhysida, who relied on the service to deploy their malicious payloads more effectively.

The service allowed ransomware gangs to bypass security controls by making malware appear legitimate. The disruption impacts major cybercrime groups and highlights the abuse of trusted infrastructure like Azure and code-signing services.

This disruption reduces the immediate threat from several ransomware groups that relied on this service to deploy malware. It underscores the importance of verifying software sources and highlights the ongoing risk of supply chain attacks where trusted vendor platforms are abused.