Microsoft Corporation, Fortra, LLC, and Health-ISAC, Inc. v. John Does 1-2, John Does 3-4 (aka Conti Ransomware Group), John Does 5-6 (aka LockBit Ransomware Group), John Does 7-8 (aka DEV-0193), John Does 9-10 (aka DEV-0206), John Does 11-12 (aka DEV-0237), John Does 13-14 (aka DEV-0243), John Does 15-16 (aka DEV-0504) – Cyber Law Library

Declaration of Rodelio G. Fiñones in Support of Application for an Emergency Ex Parte Temporary Restraining Order and Order to Show Cause re Preliminary Injunction

Microsoft Corporation, Fortra, LLC, and Health-ISAC, Inc. v. John Does 1-2, John Does 3-4 (aka Conti Ransomware Group), John Does 5-6 (aka LockBit Ransomware Group), John Does 7-8 (aka DEV-0193), John Does 9-10 (aka DEV-0206), John Does 11-12 (aka DEV-0237), John Does 13-14 (aka DEV-0243), John Does 15-16 (aka DEV-0504)

Date of Court Filing: March 30, 2023

Court Name: United States District Court

Court Jurisdiction: Eastern District of New York

Case Number: 1:23-cv-02447-RER-LKE

Document Summary

Rodelio G. Fiñones’s declaration is the most detailed malware reverse-engineering submission in this Microsoft Cobalt Strike case. Prepared by a Microsoft Digital Crimes Unit principal security software engineer and malware researcher, the filing dissects how cracked Cobalt Strike beacons function at the code, DLL, API, loader, and process-injection level. Fiñones explains the two core Cobalt Strike components—team server and client—then moves into beacon stagers, full backdoors, loader execution paths, encrypted metadata, RSA and AES-based communications, reflective loading, process injection, and the role of beacon configuration files and watermarks. He also identifies how operators inject malicious modules into legitimate Windows processes and use built-in functions for screenshots, desktop control, keylogging, Mimikatz-style credential theft, and credential hash harvesting.

The declaration is especially important because it connects reverse engineering to Microsoft’s intellectual property and licensing claims. Fiñones details how cracked Cobalt Strike and related ransomware binaries replicate Microsoft Windows API declaring code across DLLs such as kernel32.dll, advapi32.dll, wininet.dll, ws2_32.dll, ntdll.dll, and user32.dll. He explains how the Microsoft Windows SDK 8.0 license prohibits use of distributable code in malicious, deceptive, or unlawful programs, then maps how malware authors allegedly used that code anyway. The filing also expands beyond generic beacon analysis to describe how Conti and LockBit ransomware interact with APIs, terminate services, evade detection, disable recovery, encrypt files, and drop ransom notes. What distinguishes this declaration from the others is its granular forensic depth: it includes DLL and API mapping diagrams, config file examples, process-injection figures, module breakdown charts, and technical explanation of post-exploitation behavior. For anyone researching Cobalt Strike beacon analysis, malware reverse engineering, LockBit API mapping, Microsoft SDK misuse, or ransomware technical declarations filed in federal court, this document is a highly searchable and unusually detailed expert record.