Microsoft Corporation v. John Does 1-2

CourtDistrict Court, E.D. New York
DecidedSeptember 8, 2025
Docket1:23-cv-02447
StatusUnknown

This text of Microsoft Corporation v. John Does 1-2 (Microsoft Corporation v. John Does 1-2) is published on Counsel Stack Legal Research, covering District Court, E.D. New York primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook
Microsoft Corporation v. John Does 1-2, (E.D.N.Y. 2025).

Opinion

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF NEW YORK ---------------------------------------------------------------X MICROSOFT CORPORATION, a Washington Corporation, FORTRA, LLC, a Minnesota Corporation, and HEALTH-ISAC, INC., a Florida Corporation, Plaintiffs, ORD ER A D O PTING REPORT & RECOMMENDATION -against- 23-CV-2447 (RER) (LKE) JOHN DOES 1-2, JOHN DOES 3-4 (AKA CONTI RANSOMWARE GROUP), JOHN DOES 5-6 (AKA LOCKBIT RANSOMWARE GROUP), JOHN DOES 7-8 (AKA DEV-0193), JOHN DOES 9-10 (AKA DEV-0206), JOHN DOES 11-12 (AKA DEV-0237), JOHN DOES 13-14 (AKA DEV-0243), JOHN DOES 15-16 (AKA DEV-0504), Controlling Computer Networks and Thereby Injuring Plaintiffs and Their Customers, Defendants. ---------------------------------------------------------------X RAMÓN E. REYES, JR., United States District Judge:

In a report and recommendation dated August 6, 2025, (ECF No. 55 (the “R&R”)), Magistrate Judge Lara E. Eshkenazi recommended that the Court grant Plaintiffs’ motion for default judgment and convert the terms of the preliminary injunction and supplemental preliminary injunctions into a permanent injunction, as outlined in Microsoft's proposed order. (Id. at 25; ECF No. 50-2). Judge Eshkenazi advised the parties that they had fourteen days from the date that R&R was received to file objections. (R&R at 25). To date, neither party has filed an objection to the R&R, and the time to do so has passed. See Fed. R. Civ. P. 72(b)(2). Pursuant to 28 U.S.C. § 636(b) and Federal Rule of Civil Procedure 72, the Court has reviewed the R&R for clear error and, finding none, adopts the R&R in its entirety. See Covey v. Simonton, 481 F. Supp. 2d 224, 226 (E.D.N.Y. 2007). Therefore, it is ordered that the R&R is adopted in its entirety. IT IS THEREFORE ORDERED that, Microsoft's Motion for Default Judgment and Entry of a Permanent Injunction is Granted.

IT IS FURTHER ORDERED that Defendants are in default, and that judgment is awarded in favor of Microsoft and against Defendants. IT IS FURTHER ORDERED that, Defendants, Defendants’ representatives, and persons who are in active concert or participation with Defendants, are permanently restrained and enjoined the following actions: A. Using unauthorized versions of Cobalt Strike to brutally force access into victims’ computers; using unauthorized versions of Cobalt Strike to operate a global malware and ransomware infrastructure, using unauthorized versions of Cobalt Strike to deploy malware and ransomware to victims’ machines; using unauthorized version of Cobalt Strike to offer RaaS to other malicious actors; using the Conti and LockBit

ransomware deployed via unauthorized Cobalt Strike to run and add its own protocols to the Microsoft operating system to go through the list of services and terminates services that are related to backup and recoveries as well as terminating security processes related to operating tool, which causes hundreds of lines of Microsoft’s declaring code and the structure, sequence, and organization of that code are copied with and across unauthorized, cracked Cobalt Strike modules and ransomware like LockBit; using the infected victims’ computers to send commands and instructions to the infected computing device to control it surreptitiously and deliver malware that, among other things, enables Defendants to take control of the victim’s computer and extort money from them. Defendants’ primary goal is to deliver ransomware and enable attacks against other computers; or stealing information, money or property from Plaintiffs, Plaintiffs’ customers or Plaintiffs’ member organizations, or undertaking any similar activity that inflicts harm on Plaintiffs, or the public, including Plaintiffs’ customers or associated member

organizations B. Configuring, deploying, operating or otherwise using or unauthorized Cobalt Strike to facilitate the deployment of defendants’ malware and ransomware activities described in the TRO Application, including but not limited to the C2 infrastructure hosted at and operating through the domains and IP addresses set forth herein and through any other deployments of unauthorized Cobalt Strike in any location. C. Using the trademarks or logos “Microsoft” or “Windows” the logos and trademarks “Cobalt Strike,” the trademarks, brands or logos of healthcare institution members of Health-ISAC; and/or other trademarks; trade names; service marks; or Internet domain addresses or names; or acting in any other manner which suggests in

any way that Defendants’ products or services come from or are somehow sponsored or affiliated with Plaintiffs or Plaintiffs’ associated member organizations, and from otherwise unfairly competing with Plaintiffs, misappropriating that which rightfully belongs to Plaintiffs or Plaintiffs’ customers or Plaintiffs’ associated member organizations, or passing off their goods or services as Plaintiffs or Plaintiffs’ associated member organizations. D. Infringing Plaintiffs’ registered trademarks, as set forth in Appendix B and E to the Complaint. E. Using in connection with Defendants’ activities any false or deceptive designation, representation or description of Defendants’ or of their representatives’ activities, whether by symbols, words, designs or statements, which would damage or injure Plaintiffs or give Defendants an unfair competitive advantage or result in deception

of consumers. IT IS FURTHER ORDERED, pursuant to the All Writs Act (28 U.S.C. § 1651), that the terms of this Permanent Injunction shall be enforced against Defendants, Defendants’ representatives, and persons who are in active concert or participation with Defendants, as follows: A. With respect to the domains set forth at Appendix A and any registered Internet domains that are determined to be “Cobalt Strike Domains,” through the process set forth in this Order, and where the relevant domain registry is located in the United States, the domain registry shall take the following actions: 1. Within three (3) business days of receipt of this Order, shall unlock and

change the registrar of record for the domain to MarkMonitor or such other registrar specified by Microsoft. To the extent the registrar of record does not assist in changing the registrar of record for the domain under its control, the domain registry for the domain, or its administrators, including backend registry operators or administrators, within five (5) business days of receipt of this Order, shall change, or assist in changing, the registrar of record for the domain to MarkMonitor or such other registrar specified by Microsoft. The purpose of this paragraph is to ensure that Microsoft has control over the hosting and administration of the domain in its registrar account at MarkMonitor or such other registrar specified by Microsoft. Microsoft shall provide to the domain registry or registrar of record any requested registrar information or account details necessary to effectuate the foregoing. 2. The domain shall be made active and shall resolve in the manner set

forth in this order, or as otherwise specified by Microsoft, upon taking control of the domain; 3.

Free access — add to your briefcase to read the full text and ask questions with AI

Related

Covey v. Simonton
481 F. Supp. 2d 224 (E.D. New York, 2007)

Cite This Page — Counsel Stack

Bluebook (online)
Microsoft Corporation v. John Does 1-2, Counsel Stack Legal Research, https://law.counselstack.com/opinion/microsoft-corporation-v-john-does-1-2-nyed-2025.