After tricking an employee with a phishing email and a poisoned spreadsheet, hackers used the employee’s infected computer to break into Ireland’s public health system and tunnel through the network for weeks. They prowled from hospital to hospital, browsed folders, opened private files and spread the infection to thousands of other computers and servers.
By the time they made their ransom demand, they had hijacked more than 80% of the IT system, forcing the organization of over 100,000 people offline and jeopardizing the lives of thousands of patients.
The attackers unleashed the 2021 assault on Ireland’s Health Service Executive (HSE) with help from a “cracked,” or abused and unauthorized, legacy version of a powerful tool. Used by legitimate security professionals to simulate cyberattacks in defense testing, the tool has also become a favorite instrument of criminals who steal and manipulate older versions to launch ransomware attacks around the world. In the last two years, hackers have used cracked copies of the tool, Cobalt Strike, to try and infect roughly 1.5 million devices.
But Microsoft and Fortra, the tool’s owner, are now armed with a court order authorizing them to seize and block infrastructure linked to cracked versions of the software. The order also allows Microsoft to disrupt infrastructure associated with abuse of its software code, which criminals have used to disable antivirus systems in some of the attacks. Since the order was executed in April, the number of infected IP addresses has since plummeted.