Microsoft Disrupts Malware-Signing Operation Used by Ransomware Gangs

Microsoft has successfully dismantled a significant cybercrime operation known as Fox Tempest, which provided code-signing certificates to ransomware gangs, allowing them to disguise malicious software as legitimate applications. The operation, which has been active since May 2025, abused Microsoft's Artifact Signing service by creating fraudulent accounts and obtaining real code-signing credentials that were then sold to cybercriminals.

The Fox Tempest Operation

The Fox Tempest operation, run by individuals referred to as "John Doe 1" and "John Doe 2" in court documents unsealed on Tuesday, created over 580 fraudulent Microsoft accounts using fake identities and impersonated real organizations. These accounts were then used to abuse Microsoft's Artifact Signing service, which is designed to allow developers to digitally sign their software applications, signaling to the Windows operating system and end-users that the software is authentic and hasn't been tampered with.

According to Microsoft's investigation, the operation sold these code-signing certificates to various ransomware groups for substantial fees ranging from $5,000 for standard service to $9,500 for expedited service. The Digital Crimes Unit (DCU) conducted test purchases in February and March 2026 to understand the operation's mechanics, working with a cooperating source who purchased the service from John Doe 2, also known as "SamCodeSign."

Affected Ransomware Groups

Microsoft identified several ransomware groups that utilized Fox Tempest's services, including:

• Vanilla Tempest (also known as Vice Spider, Vice Society, Rhysida)
• INC
• Qilin
• Akira

These groups used the certificates to digitally sign various types of malware, including:

• Windows backdoor Oyster
• Infostealers Lumma and Vidar
• Rhysida ransomware

The court documents reveal that Vanilla Tempest "unlawfully accessed victims' computers and devices, exfiltrated and stole the personal and confidential information of victims, deployed ransomware designed to encrypt victims' files and systems, and extorted victims by demanding payment in exchange for restoring access to, or suppressing, their data."

Impact on Victims

Microsoft has identified thousands of customer machines in the United States that have been impacted by malware signed with certificates originating from the Fox Tempest operation. Notably, at least 12 machines owned and operated by Microsoft itself were affected.

For individual users and organizations, the impact of such malware can be devastating:

1. Data Breaches: Personal and confidential information can be stolen and potentially sold on dark web marketplaces.
2. System Encryption: Ransomware can encrypt files and systems, rendering them inaccessible without payment.
3. Financial Loss: Victims may face extortion demands and costs associated with system recovery and data restoration.
4. Reputational Damage: Organizations may suffer significant reputational harm following a security breach.
5. Regulatory Compliance Issues: Companies may face investigations and penalties for failing to protect user data adequately.

Legal Implications

The operation raises significant legal and regulatory concerns under various data protection frameworks:

• GDPR (General Data Protection Regulation): Organizations affected by ransomware attacks that result in data breaches may face fines of up to 4% of annual global turnover or €20 million, whichever is higher, for failing to implement appropriate security measures.
• CCPA (California Consumer Privacy Act): California businesses that experience data breaches may be held liable for failing to implement reasonable security procedures and practices.
• CFAA (Computer Fraud and Abuse Act): The individuals behind Fox Tempest and the ransomware groups using their services could face criminal charges under U.S. law.

Microsoft's civil complaint alleges that the defendants "violated the Computer Fraud and Abuse Act, the Washington Consumer Protection Act, and Washington's Computer Spyware Act by intentionally accessing computers without authorization and causing damage to protected computers."

Microsoft's Response

Microsoft's Digital Crimes Unit played a crucial role in disrupting this operation. The company seized websites and took down hundreds of virtual machines running the Fox Tempest service. The investigation involved:

1. Undercover purchases of the service to understand its operation
2. Identification of cryptocurrency wallets used by the perpetrators
3. Collection of evidence through screenshots and communications
4. Legal action to obtain court orders for takedown

Steven Masada, an attorney with Microsoft's Digital Crimes Unit, stated in a blog post that the investigation "further linked Fox Tempest to various additional ransomware affiliates and families, including INC, Qilin, Akira, and others."

Broader Implications for Software Security

This case highlights ongoing challenges in software security and the abuse of legitimate services by malicious actors. Code-signing certificates are essential for establishing trust in software distribution, but when obtained fraudulently, they can undermine security measures designed to protect users.

Microsoft has indicated that it will continue to enhance its verification processes for the Artifact Signing service to prevent similar abuses. This may include:

• More rigorous identity verification for account creation
• Enhanced monitoring of certificate usage
• Improved detection of suspicious signing activities
• Collaboration with law enforcement to quickly respond to abuses

What Users and Organizations Should Do

In the wake of this operation, users and organizations should:

1. Update Security Software: Ensure all security solutions are up to date to detect the latest threats.
2. Verify Software Sources: Only download software from official or trusted sources.
3. Check Digital Signatures: Before installing software, verify its digital signature to ensure authenticity.
4. Regular Backups: Maintain regular backups of important data to mitigate the impact of potential ransomware attacks.
5. Employee Training: Educate staff about the risks of downloading unverified software and the importance of security best practices.

Microsoft's disruption of the Fox Tempest operation represents a significant victory in the ongoing battle against cybercrime, particularly ransomware groups that continue to evolve their tactics to bypass security measures. However, this case also serves as a reminder of the constant cat-and-mouse game between security professionals and malicious actors, highlighting the need for continuous vigilance and improvement in security practices.

For more information on Microsoft's Digital Crimes Unit and their efforts to combat cybercrime, you can visit their official page.