Blog
/
/
May 18, 2021

The Dangers of Double Extortion Ransomware Attacks

Learn about the latest trend in ransomware attacks known as double extortion. Discover how Darktrace can help protect your organization from this threat.
Written by
Brianna Leddy
Director of Analyst Operations
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Leddy
Director of Analyst Operations
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
18
May 2021

A year and a half ago, ‘double extortion’ ransomware was being used by only one known threat actor. Now, over 16 ransomware groups actively utilize this tactic. So, what is it, and why has it become so popular?

What is double extortion ransomware?

The traditional story of ransomware was one of malicious code rapidly encrypting files with public-key RSA encryption, and then deleting those files if the victim did not pay the ransom.

However, after the infamous WannaCry and NotPetya ransomware campaigns over 2017, companies ramped up their cyber defense. More emphasis was placed on backups and restoration processes, so that even if files were destroyed, organizations had copies in place and could easily restore their data.

Yet in turn, cyber-criminals have also adapted their techniques. Now, rather than just encrypting files, double extortion ransomware exfiltrates the data first. This means that if the company refuses to pay up, information can be leaked online or sold to the highest bidder. Suddenly, all those backups and data recovery plans became worthless.

Maze ransomware and friends

In late 2019, Maze ransomware emerged as the first high-profile case of double extortion. Other strains soon followed, with the Sodinokibi attack — which crippled foreign exchange company Travelex — occurring on the final day of that year.

By mid-2020, hundreds of organizations were falling victim to double extortion attacks, various websites on the dark net were leaking company data, and the Ransomware-as-a-Service business was booming as developers sold and rented new types of malware.

Furthermore, cyber security regulations started being weaponized by cyber-criminals who could leverage the threat of having to pay a hefty compliance fine (CCPA, GDPR, NYSDFS regulations) to encourage their victims to keep quiet by offering them a ransom smaller than the penalty fee.

There were 1,200 double extortion ransomware incidents in 2020, across 63 countries, with over 60% of these aimed at the US and the UK.

Despite new legislation being written regularly to try and mitigate these attacks, they aren’t slowing down. According to a recent study by RUSI, there were 1,200 double extortion ransomware incidents in 2020 alone, across 63 different countries. 60% of these were aimed at organizations headquartered in the US, and the UK suffered the second highest number of breaches.

Last month, the cyber-criminal gang known as REvil released details about Apple’s new Macbook Pro on their site ‘Happy Blog’, threatening to release more blueprints and demanding a ransom of $50 million. And last week, Colonial Pipeline purportedly paid $5 million in bitcoin to recover from a devastating OT ransomware attack.

Anatomy of a double extortion ransomware attack

Darktrace has detected a huge upsurge in double extortion ransomware threats in the last year, most recently at an energy company based in Canada. The hackers had clearly done their homework, tailoring the attack to the company and moving quickly and stealthily once inside. Below is a timeline of this real-world incident, which was mostly carried out in the space of 24 hours.

Figure 1: A timeline of the attack

Darktrace detected every stage of the intrusion and notified the security team with high-priority alerts. If Darktrace Antigena had been active in the environment, the compromised server would have been isolated as soon as it began to behave anomalously, preventing the infection from spreading.

Encryption and exfiltration

The initial infection vector is not known, but the admin account was compromised most likely from a phishing link or a vulnerability exploit. This is indicative of a trend away from the widespread ‘spray and pray’ ransomware campaigns of the last decade, towards a more targeted approach.

Cyber AI identified an internal server engaging in unusual network scanning and attempted lateral movement using the Remote Desktop Protocol (RDP). Compromised admin credentials were used to spread rapidly from the server to another internal device, ‘serverps’.

The device ‘serverps’ initiated an outbound connection to TeamViewer, a legitimate file storage service, which was active for nearly 21 hours. This connection was used for remote control of the device and to facilitate the further stages of attack. Although TeamViewer was not in wide operation in the company’s digital environment, it was not blocked by any of the legacy defenses.

The device then connected to an internal file server and downloaded 1.95 TB of data, and uploaded the same volume of data to pcloud[.]com. This exfiltration took place during work hours to blend in with regular admin activity.

The device was also seen downloading Rclone software – an open source tool, which was likely applied to sync data automatically to the legitimate file storage service pCloud.

The compromised admin credential allowed the threat actor to move laterally during this time. Following the completion of the data exfiltration, the device ‘serverps’ finally began encrypting files on 12 devices with the extension *.06d79000.

As with the majority of ransomware incidents, the encryption happened outside of office hours – overnight in local time – to minimize the chance of the security team responding quickly.

AI-powered investigation

Cyber AI Analyst reported on four incidents related to the attack, highlighting the suspicious behavior to the security team and providing a report on the affected devices for immediate remediation. Such concise reporting allowed the security team to quickly identify the scope of the infection and respond accordingly.

Figure 2: Cyber AI Analyst incident tray for a week

Cyber AI Analyst investigates on demand

Following further analysis on March 13, the security team employed Cyber AI Analyst to conduct on-demand investigations into the compromised admin credential in Microsoft 365, as well as another device which was identified as a potential threat.

Cyber AI Analyst created an incident for this other device, which resulted in the identification of unusual port scanning during the time period of infection. The device was promptly removed from the network.

Figure 3: Cyber AI Analyst incident for a compromised device, detailing an unusual internal download

Double trouble

The use of legitimate tools and ‘Living off the Land’ techniques (using RDP and a compromised admin credential) allowed the threat actors to carry out the bulk of the attack in less than 24 hours. By exploiting TeamViewer as a legitimate file storage solution for the data exfiltration, as opposed to relying on a known ‘bad’ or recently registered domain, the hackers easily circumvented all the existing signature-based defenses.

If Darktrace had not detected this intrusion and immediately alerted the security team, the attack could have resulted not only in a ‘denial of business’ with employees locked out of their files, but also in sensitive data loss. The AI went a step further in saving the team vital time with automatic investigation and on-demand reporting.

There is so much more to lose from double extortion ransomware. Exfiltration provides another layer of risk, leading to compromised intellectual property, reputational damage, and compliance fines. Once a threat group has your data, they might easily ask for more payments down the line. It is important therefore to defend against these attacks before they happen, proactively implementing cyber security measures that can detect and autonomously respond to threats as soon as they emerge.

Learn more about double extortion ransomware.

Darktrace model detections:

  • Device / Suspicious Network Scan Activity
  • Device / RDP Scan
  • Device / Network Scan
  • Anomalous Connection / Unusual Admin SMB Session
  • Anomalous Connection / Unusual Admin RDP Session
  • Device / Multiple Lateral Movement Model Breaches
  • User / New Admin Credentials on Client
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Anomalous Connection / Low and Slow Exfiltration
  • Device / Anomalous SMB Followed By Multiple Model
  • Anomalous Connection / Download and Upload
  • Anomalous Connection / Suspicious Activity On High Risk Device
  • Anomalous File / Internal::Additional Extension Appended to SMB File
  • Compromise / Ransomware::Suspicious SMB Activity
  • Anomalous Connection / Sustained MIME Type Conversion
  • Device / Anomalous RDP Followed By Multiple Model Breaches
  • Anomalous Connection / Suspicious Read Write Ratio
  • Device / Large Number of Model Breaches

Written by
Brianna Leddy
Director of Analyst Operations
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Leddy
Director of Analyst Operations

Fusing Vulnerability and Threat Data: Enhancing the Depth of Attack Analysis

Cloud
April 2, 2025
Paul Bottomley
Director of Product Management, Cado

Darktrace Recognized as the Only Visionary in the 2025 Gartner® Magic Quadrant™ for CPS Protection Platforms

OT
March 26, 2025
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Watch the NIS2 Webinar
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.
Continue reading
No items found.

Blog

/

Email

/

April 10, 2025

Email bombing exposed: Darktrace’s email defense in action

picture of a computer screen showing a password loginDefault blog imageDefault blog image

What is email bombing?

An email bomb attack, also known as a "spam bomb," is a cyberattack where a large volume of emails—ranging from as few as 100 to as many as several thousand—are sent to victims within a short period.

How does email bombing work?

Email bombing is a tactic that typically aims to disrupt operations and conceal malicious emails, potentially setting the stage for further social engineering attacks. Parallels can be drawn to the use of Domain Generation Algorithm (DGA) endpoints in Command-and-Control (C2) communications, where an attacker generates new and seemingly random domains in order to mask their malicious connections and evade detection.

In an email bomb attack, threat actors typically sign up their targeted recipients to a large number of email subscription services, flooding their inboxes with indirectly subscribed content [1].

Multiple threat actors have been observed utilizing this tactic, including the Ransomware-as-a-Service (RaaS) group Black Basta, also known as Storm-1811 [1] [2].

Darktrace detection of email bombing attack

In early 2025, Darktrace detected an email bomb attack where malicious actors flooded a customer's inbox while also employing social engineering techniques, specifically voice phishing (vishing). The end goal appeared to be infiltrating the customer's network by exploiting legitimate administrative tools for malicious purposes.

The emails in these attacks often bypass traditional email security tools because they are not technically classified as spam, due to the assumption that the recipient has subscribed to the service. Darktrace / EMAIL's behavioral analysis identified the mass of unusual, albeit not inherently malicious, emails that were sent to this user as part of this email bombing attack.

Email bombing attack overview

In February 2025, Darktrace observed an email bombing attack where a user received over 150 emails from 107 unique domains in under five minutes. Each of these emails bypassed a widely used and reputable Security Email Gateway (SEG) but were detected by Darktrace / EMAIL.

Graph showing the unusual spike in unusual emails observed by Darktrace / EMAIL.
Figure 1: Graph showing the unusual spike in unusual emails observed by Darktrace / EMAIL.

The emails varied in recipients, topics, and even languages, with several identified as being in German and Spanish. The most common theme in the subject line of these emails was account registration, indicating that the attacker used the victim’s address to sign up to various newsletters and subscriptions, prompting confirmation emails. Such confirmation emails are generally considered both important and low risk by email filters, meaning most traditional security tools would allow them without hesitation.

Additionally, many of the emails were sent using reputable marketing tools, such as Mailchimp’s Mandrill platform, which was used to send almost half of the observed emails, further adding to their legitimacy.

Darktrace / EMAIL’s detection of an email being sent using the Mandrill platform.
Figure 2: Darktrace / EMAIL’s detection of an email being sent using the Mandrill platform.
Darktrace / EMAIL’s detection of a large number of unusual emails sent during a short period of time.
Figure 3: Darktrace / EMAIL’s detection of a large number of unusual emails sent during a short period of time.

While the individual emails detected were typically benign, such as the newsletter from a legitimate UK airport shown in Figure 3, the harmful aspect was the swarm effect caused by receiving many emails within a short period of time.

Traditional security tools, which analyze emails individually, often struggle to identify email bombing incidents. However, Darktrace / EMAIL recognized the unusual volume of new domain communication as suspicious. Had Darktrace / EMAIL been enabled in Autonomous Response mode, it would have automatically held any suspicious emails, preventing them from landing in the recipient’s inbox.

Example of Darktrace / EMAIL’s response to an email bombing attack taken from another customer environment.
Figure 4: Example of Darktrace / EMAIL’s response to an email bombing attack taken from another customer environment.

Following the initial email bombing, the malicious actor made multiple attempts to engage the recipient in a call using Microsoft Teams, while spoofing the organizations IT department in order to establish a sense of trust and urgency – following the spike in unusual emails the user accepted the Teams call. It was later confirmed by the customer that the attacker had also targeted over 10 additional internal users with email bombing attacks and fake IT calls.

The customer also confirmed that malicious actor successfully convinced the user to divulge their credentials with them using the Microsoft Quick Access remote management tool. While such remote management tools are typically used for legitimate administrative purposes, malicious actors can exploit them to move laterally between systems or maintain access on target networks. When these tools have been previously observed in the network, attackers may use them to pursue their goals while evading detection, commonly known as Living-off-the-Land (LOTL).

Subsequent investigation by Darktrace’s Security Operations Centre (SOC) revealed that the recipient's device began scanning and performing reconnaissance activities shortly following the Teams call, suggesting that the user inadvertently exposed their credentials, leading to the device's compromise.

Darktrace’s Cyber AI Analyst was able to identify these activities and group them together into one incident, while also highlighting the most important stages of the attack.

Figure 5: Cyber AI Analyst investigation showing the initiation of the reconnaissance/scanning activities.

The first network-level activity observed on this device was unusual LDAP reconnaissance of the wider network environment, seemingly attempting to bind to the local directory services. Following successful authentication, the device began querying the LDAP directory for information about user and root entries. Darktrace then observed the attacker performing network reconnaissance, initiating a scan of the customer’s environment and attempting to connect to other internal devices. Finally, the malicious actor proceeded to make several SMB sessions and NTLM authentication attempts to internal devices, all of which failed.

Device event log in Darktrace / NETWORK, showing the large volume of connections attempts over port 445.
Figure 6: Device event log in Darktrace / NETWORK, showing the large volume of connections attempts over port 445.
Darktrace / NETWORK’s detection of the number of the login attempts via SMB/NTLM.
Figure 7: Darktrace / NETWORK’s detection of the number of the login attempts via SMB/NTLM.

While Darktrace’s Autonomous Response capability suggested actions to shut down this suspicious internal connectivity, the deployment was configured in Human Confirmation Mode. This meant any actions required human approval, allowing the activities to continue until the customer’s security team intervened. If Darktrace had been set to respond autonomously, it would have blocked connections to port 445 and enforced a “pattern of life” to prevent the device from deviating from expected activities, thus shutting down the suspicious scanning.

Conclusion

Email bombing attacks can pose a serious threat to individuals and organizations by overwhelming inboxes with emails in an attempt to obfuscate potentially malicious activities, like account takeovers or credential theft. While many traditional gateways struggle to keep pace with the volume of these attacks—analyzing individual emails rather than connecting them and often failing to distinguish between legitimate and malicious activity—Darktrace is able to identify and stop these sophisticated attacks without latency.

Thanks to its Self-Learning AI and Autonomous Response capabilities, Darktrace ensures that even seemingly benign email activity is not lost in the noise.

Credit to Maria Geronikolou (Cyber Analyst and SOC Shift Supervisor) and Cameron Boyd (Cyber Security Analyst), Steven Haworth (Senior Director of Threat Modeling), Ryan Traill (Analyst Content Lead)

Appendices

[1] https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/

[2] https://thehackernews.com/2024/12/black-basta-ransomware-evolves-with.html

Darktrace Models Alerts

Internal Reconnaissance

·      Device / Suspicious SMB Scanning Activity

·      Device / Anonymous NTLM Logins

·      Device / Network Scan

·      Device / Network Range Scan

·      Device / Suspicious Network Scan Activity

·      Device / ICMP Address Scan

·      Anomalous Connection / Large Volume of LDAP Download

·      Device / Suspicious LDAP Search Operation

·      Device / Large Number of Model Alerts

Continue reading
About the author
Maria Geronikolou
Cyber Analyst

Blog

/

Email

/

April 11, 2025

FedRAMP High-compliant email security protects federal agencies from nation-state attacks

U.S. government building with flag against blue skyDefault blog imageDefault blog image

What is FedRAMP High Authority to Operate (ATO)?

Federal Risk and Authorization Management Program (FedRAMP®) High is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies, ensuring the protection of federal information.  

Cybersecurity is paramount in the Defense Industrial Base (DIB), where protecting sensitive information and ensuring operational resilience from the most sophisticated adversaries has national security implications. Organizations within the DIB must comply with strict security standards to work with the U.S. federal government, and FedRAMP High is one of those standards.

Darktrace achieves FedRAMP High ATO across IT, OT, and email

Last week, Darktrace Federal shared that we achieved FedRAMP® High ATO, a significant milestone that recognizes our ability to serve federal customers across IT, OT, and email via secure cloud-native deployments.  

Achieving the FedRAMP High ATO indicates that Darktrace Federal has achieved the highest standard for cloud security controls and can handle the U.S. federal government’s most sensitive, unclassified data in cloud environments.

Azure Government email security with FedRAMP High ATO

Darktrace has now released Darktrace Commercial Government Cloud High/Email (DCGC High/Email). This applies our email coverage to systems hosted in Microsoft's Azure Government, which adheres to NIST SP 800-53 controls and other federal standards. DCGC High/Email both meets and exceeds the compliance requirements of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), providing organizations with a much-needed email security solution that delivers unparalleled, AI-driven protection against sophisticated cyber threats.

In these ways, DCGC High/Email enhances compliance, security, and operational resilience for government and federally-affiliated customers. Notably, it is crucial for securing contractors and suppliers within DIB, helping those organizations implement necessary cybersecurity practices to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Adopting DCGC High/Email ensures organizations within the DIB can work with the government without needing to invest extensive time and money into meeting the strict compliance standards.

Building DCGC High/Email to ease DIB work with the government

DCGC High/Email was built to achieve FedRAMP High standards and meet the most rigorous security standards required of our customers. This level of compliance not only allows more organizations than ever to leverage our AI-driven technology, but also ensures that customer data is protected by the highest security measures available.

The DIB has never been more critical to national security, which means they are under constant threats from nation state and cyber criminals. We built DCGC High/Email to FedRAMP High controls to ensure sensitive company and federal government communications are secured at the highest level possible.” – Marcus Fowler, CEO of Darktrace Federal

Evolving threats now necessitate DCGC High/Email

According to Darktrace’s 2025 State of AI Cybersecurity report, more than half (54%) of global government cybersecurity professionals report seeing a significant impact from AI-powered cyber threats.  

These aren’t the only types of sophisticated threats. Advanced Persistent Threats (APTs) are launched by nation-states or cyber-criminal groups with the resources to coordinate and achieve long-term objectives.  

These attacks are carefully tailored to specific targets, using techniques like social engineering and spear phishing to gain initial access via the inbox. Once inside, attackers move laterally through networks, often remaining undetected for months or even years, silently gathering intelligence or preparing for a decisive strike.  

However, the barrier for entry for these threat actors has been lowered immensely, likely related to the observed impact of AI-powered cyber threats. Securing email environments is more important than ever.  

Darktrace’s 2025 State of AI Cybersecurity report also found that 89% of government cybersecurity professionals believe AI can help significantly improve their defensive capabilities.  

Darktrace's AI-powered defensive tools are uniquely capable of detecting and neutralizing APTs and other sophisticated threats, including ones that enter via the inbox. Our Self-Learning AI continuously adapts to evolving threats, providing real-time protection.

Darktrace builds to secure the DIB to the highest degree

In summary, Darktrace Federal's achievement of FedRAMP High ATO and the introduction of DCGC High/Email mark significant advancements in our ability to protect defense contractors and federal customers against sophisticated threats that other solutions miss.

For a technical review of Darktrace Federal’s Cyber AI Mission Defense™ solution, download an independent evaluation from the Technology Advancement Center here.

[related-resource]

Continue reading
About the author
Marcus Fowler
CEO of Darktrace Federal and SVP of Strategic Engagements and Threats
Your data. Our AI.
Elevate your network security with Darktrace AI