Inside the fight against hackers who disrupted hospitals and jeopardized lives

After tricking an employee with a phishing email and a poisoned spreadsheet, hackers used the employee’s infected computer to break into Ireland’s public health system and tunnel through the network for weeks. They prowled from hospital to hospital, browsed folders, opened private files and spread the infection to thousands of other computers and servers.

By the time they made their ransom demand, they had hijacked more than 80% of the IT system, forcing the organization of over 100,000 people offline and jeopardizing the lives of thousands of patients.

The attackers unleashed the 2021 assault on Ireland’s Health Service Executive (HSE) with help from a “cracked,” or abused and unauthorized, legacy version of a powerful tool. Used by legitimate security professionals to simulate cyberattacks in defense testing, the tool has also become a favorite instrument of criminals who steal and manipulate older versions to launch ransomware attacks around the world. In the last two years, hackers have used cracked copies of the tool, Cobalt Strike, to try and infect roughly 1.5 million devices.

Featured

Stopping cybercriminals from abusing security tools

Microsoft, Fortra™, and Health Information Sharing and Analysis Center partner to take technical and legal action to disrupt “cracked” legacy copies of Cobalt Strike, used by cybercriminals to distribute malware, including ransomwar

Learn more

But Microsoft and Fortra™, the tool’s owner, are now armed with a court order authorizing them to seize and block infrastructure linked to cracked versions of the software. The order also allows Microsoft to disrupt infrastructure associated with abuse of its software code, which criminals have used to disable antivirus systems in some of the attacks. Since the order was executed in April, the number of infected IP addresses has since plummeted.

“The message we want to send in cases like these is: ‘If you think you’re going to get away with weaponizing our products, you’re in for a rude awakening,’” says Richard Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit (DCU) and head of the unit’s Malware Analysis & Disruption team.

To learn more about the crimefighting efforts by Microsoft ransomware investigators, engineers, and lawyers to disrupt cracked Cobalt Strike infrastructure and help keep organizations safe, read "Inside the fight against hackers who disrupted hospitals and jeopardized lives."

Cracked software Ransomware Threat Actors

Inside the fight against hackers who disrupted hospitals and jeopardized lives

Stopping cybercriminals from abusing security tools

Microsoft, Fortra™, and Health Information Sharing and Analysis Center partner to take technical and legal action to disrupt “cracked” legacy copies of Cobalt Strike, used by cybercriminals to distribute malware, including ransomwar

Related articles

Stopping cybercriminals from abusing security tools

Microsoft, Fortra™, and Health Information Sharing and Analysis Center partner to take technical and legal action to disrupt “cracked” legacy copies of Cobalt Strike, used by cybercriminals to distribute malware, including ransomware.

Behind the scenes with cybercrime and counter ransomware expert Nick Carr

Nick Carr, Cybercrime Intelligence Team Lead at the Microsoft Threat Intelligence Center, discusses ransomware trends, explains what Microsoft is doing to protect customers from ransomware, and describes what organizations can do if they’ve been affected by it.

61% increase in phishing attacks. Know your modern attack surface.

To manage an increasingly complex attack surface, organizations must develop a comprehensive security posture. With six key attack surface areas, this report will show you how the right threat intelligence can help tilt the playing field in favor of defenders.

Follow Microsoft Security