After tricking an employee with a phishing email and a poisoned spreadsheet, hackers used the employee’s infected computer to break into Ireland’s public health system and tunnel through the network for weeks. They prowled from hospital to hospital, browsed folders, opened private files and spread the infection to thousands of other computers and servers.
By the time they made their ransom demand, they had hijacked more than 80% of the IT system, forcing the organization of over 100,000 people offline and jeopardizing the lives of thousands of patients.
The attackers unleashed the 2021 assault on Ireland’s Health Service Executive (HSE) with help from a “cracked,” or abused and unauthorized, legacy version of a powerful tool. Used by legitimate security professionals to simulate cyberattacks in defense testing, the tool has also become a favorite instrument of criminals who steal and manipulate older versions to launch ransomware attacks around the world. In the last two years, hackers have used cracked copies of the tool, Cobalt Strike, to try and infect roughly 1.5 million devices.
But Microsoft and Fortra, the tool’s owner, are now armed with a court order authorizing them to seize and block infrastructure linked to cracked versions of the software. The order also allows Microsoft to disrupt infrastructure associated with abuse of its software code, which criminals have used to disable antivirus systems in some of the attacks. Since the order was executed in April, the number of infected IP addresses has since plummeted.
“The message we want to send in cases like these is: ‘If you think you’re going to get away with weaponizing our products, you’re in for a rude awakening,’” says Richard Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit (DCU) and head of the unit’s Malware Analysis & Disruption team.
The effort to knock cracked Cobalt Strike offline began in 2021 when DCU — an eclectic, global group of cybercrime fighters — wanted to make a bigger dent on the rise in ransomware attacks. Previous operations had targeted individual botnets like Trickbot and Necurs separately, but ransomware investigator Jason Lyons proposed a major operation targeting many malware groups and focused on what they had in common: their use of cracked, legacy Cobalt Strike.
“We kept seeing cracked Cobalt Strike as the tool in the middle being leveraged in ransomware attacks,” says Lyons, who based his assessments on internal intelligence of attacks on Windows customers.
A former counterintelligence special agent with the U.S. Army, Lyons had spent many nights and weekends responding to ransomware events and breaches. The chance to go after many criminals at once was a way to “bring a little pain to the bad guys and interrupt their nights and weekends, too,” he says.
But before Microsoft could start inflicting pain, it needed to clean its own house first and rid Azure of cracked Cobalt Strike. Rodel Finones, a reverse engineer who deconstructs and analyzes malware, quickly went to work. He had moved to DCU from the Microsoft Defender Antivirus team a few years ago to take a more proactive role in fighting crime.
Finones built a crawler that connected to every active, public-facing Cobalt Strike command-and-control server on Azure — and later, the internet. The servers communicate with infected devices and allow operators to spy on a network, move laterally and encrypt files. He also began investigating how ransomware operators were abusing Microsoft’s software in their attacks.
But crawling wasn’t enough. Investigators faced a challenge in how to distinguish between valid security uses of Cobalt Strike and illicit uses by threat actors. Fortra issues a unique license number, or watermark, for every Cobalt Strike kit it sells, which provides a forensic clue in cracked copies. But the company wasn’t part of the initial operation, and DCU investigators worked alone to build an internal catalog of watermarks linked to customer attacks as they cleaned up Azure.
Meanwhile, Fortra, which had acquired Cobalt Strike in 2020, was also working on the problem of criminals using cracked copies. When Microsoft proposed a joint operation, the company needed time to make sure partnering with Microsoft was the right move, says Bob Erdman, associate vice president for Research & Development at Fortra.
At one point, Microsoft tried to buy a copy of Cobalt Strike to help investigators understand the tool. Fortra said no.
“It’s an interesting and funny story now, but we didn’t know if Fortra was going to partner with us,” says Lyons.
“We don’t just sell to anybody who wants it,” Erdman said in response.
Fortra joined the action in early 2023 and provided a list of more than 200 “illegitimate” watermarks linked to 3,500 unauthorized Cobalt Strike servers. The company had been doing its own investigations and adding new security controls, but partnering with Microsoft provided access to scale, additional expertise and another way to protect its tool and the internet. Over the course of the investigation, Fortra and Microsoft analyzed approximately 50,000 unique copies of cracked Cobalt Strike.
“It really was a very good match for the two of us,” says Erdman. “It’s a great way to partner where everybody’s stronger working together.”
The partnership was also a win for Microsoft, with Fortra’s insight and watermark list greatly expanding the operation’s reach. It helped the companies with their lawsuit linking malicious infrastructure to 16 unnamed defendants, each one a distinct threat group.