Hackers exploited the victim's infected computer to access Ireland's public health system and tunnel across the network for weeks after luring a worker with a phishing email and a spreadsheet that was laced with malware. Infecting thousands of more systems and servers, they prowled from hospital to hospital, explored folders, and opened personal files.
By the time they demanded a ransom, they had already taken over more than 80% of the IT infrastructure, knocked out the organisation's 100,000+ employees, and put the lives of thousands of patients in danger.
The attackers employed a "cracked," or exploited and unauthorised, legacy version of a powerful tool to launch the 2021 attack on Ireland's Health Service Executive (HSE). The tool, which is used by credible security professionals to simulate cyberattacks in defence testing, has also become a favourite tool of criminals who steal and manipulate previous versions to launch ransomware attacks around the world. In the previous two years, hackers have attempted to infect over 1.5 million devices using cracked copies of the tool Cobalt Strike.
However, Microsoft and the tool's owner, Fortra, now have a court order authorising them to seize and block infrastructure associated with cracked versions of the software. The order also permits Microsoft to interrupt infrastructure linked with the misuse of its software code, which thieves have utilised in some of the attacks to disable antivirus systems. Since the order was carried out in April, the number of compromised IP addresses has decreased dramatically.
"The message we want to send in cases like these is: 'If you think you're going to get away with weaponizing our products, you're going to get a rude awakening,'" states Richard Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit (DCU) and head of the unit's Malware Analysis & Disruption team.
The effort to take down cracked Cobalt Strike began in 2021, when DCU — a diverse, multinational organisation of cybercrime fighters — aimed to make a deeper dent in the rising number of ransomware attacks. Previous operations had separately targeted particular botnets such as Trickbot and Necurs, but ransomware investigator Jason Lyons advocated a large operation targeting multiple malware groups and focusing on what they all had in common: the usage of cracked, old Cobalt Strike.
"We kept seeing cracked Cobalt Strike as the tool in the middle being leveraged in ransomware attacks," Lyons explained, basing his evaluations on internal information about Windows-based attacks.
Lyons, a former US Army counterintelligence special agent, had spent many nights and weekends responding to ransomware attacks and breaches. The opportunity to pursue multiple crooks at once allowed him to "bring a little pain to the bad guys and interrupt their nights and weekends, too," he adds.
But before it could start inflicting pain, Microsoft needed to clean up its own house and get rid of the broken Cobalt Strike in Azure. Rodel Finones, a reverse engineer who deconstructs and analyses malware, jumped to work right away. He had transferred from the Microsoft Defender Antivirus team to DCU a few years earlier in order to play a more proactive role in combating criminality.
Finones designed a crawler that connected to every active, publicly accessible Cobalt Strike command-and-control server on Azure — and, ultimately, the internet. The servers communicate with infected devices, enabling operators to spy on networks, move laterally, and encrypt information. He also began looking into how ransomware criminals used Microsoft's technologies in their operations.
Crawling, though, was insufficient. The investigators had a difficult time distinguishing between legitimate security uses of Cobalt Strike and unlawful use by threat actors. Fortra assigns a unique licence number, or watermark, to each Cobalt Strike kit sold, which serves as a forensic clue in cracked copies. However, the corporation was not involved in the first operation, and DCU investigators worked alone to create an internal catalogue of watermarks associated with customer attacks while cleaning up Azure.
Meanwhile, Fortra, which purchased Cobalt Strike in 2020, was addressing the issue of criminals exploiting cracked copies. When Microsoft proposed a joint venture, the corporation needed time to ensure that working with Microsoft was the appropriate decision, according to Bob Erdman, assistant vice president for business development.
In early 2023, Fortra joined the action and released a list of over 200 "illegitimate" watermarks linked to 3,500 unauthorised Cobalt Strike servers. The company had been doing its own investigations and implementing new security procedures, but teaming with Microsoft allowed access to scale, extra knowledge, and an additional method of protecting its tool and the internet. Fortra and Microsoft examined around 50,000 distinct copies of cracked Cobalt Strike during the inquiry.
Microsoft benefited from the collaboration as well, with Fortra's knowledge and watermark list significantly expanding the operation's reach. It aided the firms' case, which linked malicious infrastructure to 16 unknown defendants, each representing a unique threat group.
Lawyers argued that the groups – ransomware authors, extortionists, victim lurers, and cracked Cobalt Strike sellers — collaborated in a thriving, profitable ransomware-as-a-service operation aimed at maximising profit and harm. They also linked broken Cobalt Strike to eight ransomware families, including LockBit, a quick encryption and denial-of-service attacker, and Conti, the malware suspected in the disastrous 2022 attacks on the Costa Rican government.
