Read more about Darktrace's machine-learning technology which can effortlessly identify anomalous behavioral patterns from ransomware like WannaCry.
Over 200,000 organisations and private individuals were victims of Friday’s global cyber-attack. This number is likely to increase over the coming weeks, as copy-cat criminals develop variants of the same ransomware and new methods of delivering similar attacks.
Some background on the WannaCry campaign
The WannaCry outbreak does not appear to have targeted specific countries or industries. Instead, it targeted outdated computer systems, using exploit kits leaked earlier this year to infect devices and drop the initial ransomware file. Once inside a network, WannaCry will attempt to locate other vulnerable computers by conducting internal and external SMB scanning. Having established itself, the malware encrypts files and demands a ransom of around $300 to unlock them, payable in Bitcoin. However, dealing with criminals means that there is no guarantee of the files being released if that money is paid out. Strong security measures and effective response mechanisms are the only reliable ways in which to prevent extensive damage.
Leveraging Darktrace, these kind of infections are not hard to detect: WannaCry and other ransomware cause highly anomalous behavioral patterns that our machine-learning technology is ideally placed to recognize.
To demonstrate, let’s take a walk-through of how Darktrace was able to detect the WannaCry attack on a client. Note that device names have been obfuscated for security purposes.
Following the initial compromise, Darktrace detected unusual activity originating from an infected device, as it scanned the network in an attempt to locate other devices open to SMB connections:
Example of an internal scan.
The worm was scanning the network to locate devices with the DoublePulsar backdoor already present, through which the WannaCry ransomware can be dropped. If this backdoor was not found to be present, the worm used an exploit known as EternalBlue to infect the device, installing both WannaCry and the DoublePulsar backdoor.
This installation of the worm on vulnerable devices allowed it to continue to spread laterally inside the network.
Simultaneously, infected devices scanned random external IPs on port 445 (SMB), to continue spreading the worm to other devices on the internet:
Internal devices scanning external destinations.
As soon as infected devices started scanning both inside and outside network, Darktrace detected these activities as serious deviations in the devices’ usual pattern of life:
External and internal connections by one of the network devices 48 hours either side of the WannaCry campaign. Every orange dot represents a model breach.
For many of these devices, the deviation from typical pattern of life was such that it took Darktrace one second to detect anomalous behavior:
As this unusual activity persisted in the network, the confidence of Darktrace’s machine learning increased and attributed higher scores to these anomalous events:
These high scores caused Darktrace models to breach in real time, alerting the customer to the severity of the unusual connections occurring inside their network:
In these recent cyber-attacks, the level of disruption was attributed to the speed with which this infection was able to spread like wildfire through networks. Unlike more common forms of malware, which rely on human-mediated methods such as phishing to co-opt people into triggering the payload, this type of attack uses a worm to move from machine to machine without human intervention. Fortunately, it is precisely this – a dramatic change in internal activity – which has allowed us to effectively fight back.
Darktrace Antigena acts automatically to neutralise in-progress attacks, taking targeted action against deviations in the expected ‘pattern of life’. This allows organisations to react before humans have even become aware of a breach. So it follows that the extent of deviation produced by an attack is fundamentally linked to the ability of a self-aware network to protect itself.
The potential gravity of this situation has proven that infections traveling at machine speed require an equivalent response time – only possible with machine-learning technology – in order to stop and contain future threats.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Andrew Tsonchev
VP, Security & AI Strategy, Field CISO
Andrew is VP, Security & AI Strategy, Field CISO and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.
Unifying IT & OT With AI-Led Investigations for Industrial Security
As industrial environments modernize, IT and OT networks are converging to improve efficiency, but this connectivity also creates new attack paths. Previously isolated OT systems are now linked to IT and cloud assets, making them more accessible to attackers.
While organizations have traditionally relied on air gaps, firewalls, data diodes, and access controls to separate IT and OT, these measures alone aren’t enough. Threat actors often infiltrate IT/Enterprise networks first then exploit segmentation, compromising credentials, or shared IT/OT systems to move laterally, escalate privileges, and ultimately enter the OT network.
To defend against these threats, organizations must first ensure they have complete visibility across IT and OT environments.
Visibility: The first piece of the puzzle
Visibility is the foundation of effective industrial cybersecurity, but it’s only the first step. Without visibility across both IT and OT, security teams risk missing key alerts that indicate a threat targeting OT at their earliest stages.
For Attacks targeting OT, early stage exploits often originate in IT environments, adversaries perform internal reconnaissance among other tactics and procedures but then laterally move into OT first affecting IT devices, servers and workstations within the OT network. If visibility is limited, these threats go undetected. To stay ahead of attackers, organizations need full-spectrum visibility that connects IT and OT security, ensuring no early warning signs are missed.
However, visibility alone isn’t enough. More visibility also means more alerts, this doesn’t just make it harder to separate real threats from routine activity, but bogs down analysts who have to investigate all these alerts to determine their criticality.
Investigations: The real bottleneck
While visibility is essential, it also introduces a new challenge: Alertfatigue. Without the right tools, analysts are often occupied investigating alerts with little to no context, forcing them to manually piece together information and determine if an attack is unfolding. This slows response times and increases the risk of missing critical threats.
Figure 1: Example ICS attack scenario
With siloed visibility across IT and OT each of these events shown above would be individually alerted by a detection engine with little to no context nor correlation. Thus, an analyst would have to try to piece together these events manually. Traditional security tools struggle to keep pace with the sophistication of these threats, resulting in an alarming statistic: less than 10% of alerts are thoroughly vetted, leaving organizations vulnerable to undetected breaches. As a result, incidents inevitably follow.
Darktrace’s Cyber AI Analyst uses AI-led investigations to improve workflows for analysts by automatically correlating alerts wherever they occur across both IT and OT. The multi-layered AI engine identifies high-priority incidents, and provides analysts with clear, actionable insights, reducing noise and highlighting meaningful threats. The AI significantly alleviates workloads, enabling teams to respond faster and more effectively before an attack escalates.
Overcoming organizational challenges across IT and OT
Beyond technical challenges like visibility and alert management, organizational dynamics further complicate IT-OT security efforts.Fundamental differences in priorities, workflows, and risk perspectives create challenges that can lead to misalignment between teams:
Non-transferable practices: IT professionals might assume that cybersecurity practices from IT environments can be directly applied to OT environments. This can lead to issues, as OT systems and workflows may not handle IT security processes as expected. It's crucial to recognize and respect the unique requirements and constraints of OT environments.
Segmented responsibilities: IT and OT teams often operate under separate organizational structures, each with distinct priorities, goals, and workflows. While IT focuses on data security, network integrity, and enterprise applications, OT prioritizes uptime, reliability, and physical processes.
Different risk perspectives: While IT teams focus on preventing cyber threats and regulatory violations, OT teams prioritize uptime and operational reliability making them drawn towards asset inventory tools that provide no threat detection capability.
Result: A combination of disparate and ineffective tools and misaligned teams can make any progress toward risk reduction at an organization seem impossible. The right tools should be able to both free up time for collaboration and prompt better communication between IT and OT teams where it is needed. However, different size operations structure their IT and OT teams differently which impacts the priorities for each team.
In real-world scenarios, small IT teams struggle to manage security across both IT and OT, while larger organizations with OT security teams face alert fatigue and numerous false positives slowing down investigations and hindering effective communication with the IT security teams.
By unifying visibility and investigations, Darktrace / OT helps organizations of all sizes detect threats earlier, streamline workflows, and enhance security across both IT and OT environments. The following examples illustrate how AI-driven investigations can transform security operations, improving detection, investigation, and response.
Before and after AI-led investigation
Before: Small manufacturing company
At a small manufacturing company, a 1-3 person IT team juggles everything from email security to network troubleshooting. An analyst might see unusual traffic through the firewall:
Unusual repeated outbound traffic from an IP within their OT network destined to an unidentifiable external IP.
With no dedicated OT security tools and limited visibility into the industrial network, they don’t know what the internal device in question is, if it is beaconing to a malicious external IP, and what it may be doing to other devices within the OT network. Without a centralized dashboard, they must manually check logs, ask operators about changes, and hunt for anomalies across different systems.
After a day of investigation, they concluded the traffic was not to be expected activity. They stop production within their smaller OT network, update their firewall rules and factory reset all OT devices and systems within the blast radius of the IP device in question.
After: Faster, automated response with Cyber AI Analyst
With Darktrace / OT and Cyber AI Analyst, the IT team moves from reactive, manual investigations to proactive, automated threat detection:
Cyber AI Analyst connects alerts across their IT and OT infrastructure temporally mapping them to attack frameworks and provides contextual analysis of how alerts are linked, revealing in real time attackers attempting lateral movement from IT to OT.
A human-readable incident report explains the full scope of the incident, eliminating hours of manual investigation.
The team is faster to triage as they are led directly to prioritized high criticality alerts, now capable of responding immediately instead of wasting valuable time hunting for answers.
By reducing noise, providing context, and automating investigations, Cyber AI Analyst transforms OT security, enabling small IT teams to detect, understand, and respond to threats—without deep OT cybersecurity expertise.
Before: Large critical infrastructure organization
In large critical infrastructure operations, OT and IT teams work in separate silos. The OT security team needs to quickly assess and prioritize alerts, but their system floods them with notifications:
Multiple new device connected to the ICS network alerts
Multiple failed logins to HMI detected
Multiple Unusual Modbus/TCP commands detected
Repeated outbound OT traffic to IT destinations
At first glance, these alerts seem important, but without context, it’s unclear whether they indicate a routine error, a misconfiguration, or an active cyber-attack. They might ask:
Are the failed logins just a mistake, or a brute-force attempt?
Is the outbound traffic part of a scheduled update, or data exfiltration?
Without correlation across events, the engineer must manually investigate each one—checking logs, cross-referencing network activity, and contacting operators—wasting valuable time. Meanwhile, if it’s a coordinated attack, the adversary may already be disrupting operations.
After: A new workflow with Cyber AI Analyst
With Cyber AI Analyst, the OT security team gets clear, automated correlation of security events, making investigations faster and more efficient:
Automated correlation of OT threats: Instead of isolated alerts, Cyber AI Analyst stitches together related events, providing a single, high-confidence incident report that highlights key details.
Faster time to meaning: The system connects anomalous behaviors (e.g., failed logins, unusual traffic from an HMI, and unauthorized PLC modifications) into a cohesive narrative, eliminating hours of manual log analysis.
Prioritized and actionable alerts: OT security receives clear, ranked incidents, immediately highlighting what matters most.
Rapid threat understanding: Security teams know within minutes whether an event is a misconfiguration or a cyber-attack, allowing for faster containment.
With Cyber AI Analyst, large organizations cut through alert noise, accelerate investigations, and detect threats faster—without disrupting OT operations.
An AI-led approach to industrial cybersecurity
Security vendors with a primary focus on IT may lack insight into OT threats. Even OT-focused vendors have limited visibility into IT device exploitation within OT networks, leading to failed ability to detect early indicators of compromise. A comprehensive solution must account for the unique characteristics of various OT environments.
In a world where industrial security is no longer just about protecting OT but securing the entire digital-physical ecosystem as it interacts with the OT network, Darktrace / OT is an AI-driven solution that unifies visibility across IT, IoT and OT, Cloud into one cohesive defense strategy.
Whether an attack originates from an external breach, an insider threat, a supply chain compromise, in the Cloud, OT, or IT domains Cyber AI Analyst ensures that security teams see the full picture - before disruption occurs.
Learn more about Darktrace / OT
Unify IT and OT security under a single platform, ensuring seamless communication and protection for all interconnected devices.
Maintain uptime with AI-driven threat containment, stopping attacks without disrupting production.
Mitigate risks with or without patches, leveraging MITRE mitigations to reduce attack opportunities.
An Advanced Persistent Threat (APT) describes an adversary with sophisticated levels of expertise and significant resources, with the ability to carry out targeted cyber campaigns. These campaigns may penetrate an organization and remain undetected for long periods, allowing attackers to gather intelligence or cause damage over time.
Over the last few decades, the term APT has evolved from being almost exclusively associated with nation-state actors to a broader definition that includes highly skilled, well-resourced threat groups. While still distinct from mass, opportunistic cybercrime or "spray and pray" attacks, APT now refers to the elite tier of adversaries, whether state-sponsored or not, who demonstrate advanced capabilities, persistence, and a clear strategic focus. This shift reflects the growing sophistication of cyber threats, where non-state actors can now rival nation-states in executing covert, methodical intrusions to achieve long-term objectives.
These attacks are resource-intensive for threat actors to execute, but the potential rewards—ranging from financial gain to sensitive data theft—can be significant. In 2020, Business Email Compromise (BEC) attacks netted cybercriminals over $1.8 billion.1
And recently, the advent of AI has helped to automate launching these attacks, lowering the barriers to entry and making it more efficient to orchestrate the kind of attack that might previously have taken weeks to create. Research shows that AI can do 90% of a threat actor’s work2 – reducing time-to-target by automating tasks rapidly and avoiding errors in phishing communications. Email remains the most popular vector for initiating these sophisticated attacks, making it a critical battleground for cyber defense.
What makes APTs so successful?
The success of Advanced Persistent Threats (APTs) lies in their precision, persistence, and ability to exploit human and technical vulnerabilities. These attacks are carefully tailored to specific targets, using techniques like social engineering and spear phishing to gain initial access.
Once inside, attackers move laterally through networks, often remaining undetected for months or even years, silently gathering intelligence or preparing for a decisive strike. Alternatively, they might linger inside an account within the M365 environment, which could be even more valuable in terms of gathering information – in 2023 the average time to identify a breach in 2023 was 204 days.3
The subtle and long-term outlook nature of APTs makes them highly effective, as traditional security measures often fail to identify the subtle signs of compromise.
How Darktrace’s approach is designed to catch the most advanced threats
Luckily for our customers, Darktrace’s AI approach is uniquely equipped to detect and neutralize APTs. Unlike the majority of email security solutions that rely on static rules and signatures, or that train their AI on previous known-bad attack patterns, Darktrace leverages Self-Learning AI that baselines normal patterns of behavior within an organization, to immediately detect unusual activity that may signal an APT in progress.
But in the modern era of email threats, no email security solution can guarantee 100% effectiveness. Because attackers operate with great sophistication, carefully adapting their tactics to evade detection – whether by altering attachments, leveraging compromised accounts, or moving laterally across an organization – a siloed security approach risks missing these subtle, multi-domain threats. That’s why a robust defense-in-depth strategy is essential to mitigate APTs.
Real-world threat finds: Darktrace / EMAIL in action
Let’s take a look at some real-world scenarios where Darktrace / EMAIL stopped tactics associated with APT campaigns in their tracks – from adversary-in-the-middle attacks to suspicious lateral movement.
1: How Darktrace disrupted an adversary-in-the-middle attack by identifying abnormal login redirects and blocking credential exfiltration
In October 2024, Darktrace detected an adversary-in-the-middle (AiTM) attack targeting a Darktrace customer. The attack began with a phishing email from a seemingly legitimate Dropbox address, which contained multiple link payloads inviting the recipient to access a file. Other solutions would have struggled to catch this attack, as the initial AitM attack was launched through delivering a malicious URL through a trusted vendor or service. Once compromised, the threat actor could have laid low on the target account, gathering reconnaissance, without detection from the email security solution.
Darktrace / EMAIL identified the abnormal login redirects and flagged the suspicious activity. Darktrace / IDENTITY then detected unusual login patterns and blocked credential exfiltration attempts, effectively disrupting the attack and preventing the adversary from gaining unauthorized access. Read more.
Figure 1: Overview of the malicious email in the Darktrace / EMAIL console, highlighting Dropbox associated content/link payloads
2: How Darktrace stopped lateral movement to block NTLM hash theft
In early 2024, Darktrace detected an attack by the TA577 threat group, which aimed to steal NTLM hashes to gain unauthorized access to systems. The attack began with phishing emails containing ZIP files that connected to malicious infrastructure.
A traditional email security solution would have likely missed this attack by focusing too heavily on analyzing the zip file payloads or relying on reputation analysis to understand whether the infrastructure was registered as bad before this activity was a recognized IoC.
Because it correlates activity across domains, Darktrace identified unusual lateral movement within the network and promptly blocked the attempts to steal NTLM hashes, effectively preventing the attackers from accessing sensitive credentials and securing the network. Read more.
Figure 2: A summary of anomaly indicators seen for a campaign email sent by TA577, as detected by Darktrace / EMAIL
3: How Darktrace prevented the WarmCookie backdoor deployment embedded in phishing emails
In mid-2024, Darktrace identified a phishing campaign targeting organizations with emails impersonating recruitment firms. These emails contained malicious links that, when clicked, deployed the WarmCookie backdoor.
These emails are difficult to detect, as they use social engineering tactics to manipulate users into engaging with emails and following the embedded malicious links – but if a security solution is not analysing content and context, these could be allowed through.
In several observed cases across customer environments, Darktrace detected and blocked the suspicious behavior associated with WarmCookie that had already managed to evade customers’ native email security. By using behavioral analysis to correlate anomalous activity across the digital estate, Darktrace was able to identify the backdoor malware strain and notify customers. Read more.
Conclusion
These threat examples highlight a key principle of the Darktrace approach – that a backwards-facing approach grounded in threat intelligence will always be one step behind.
Most threat actors operate in campaigns, carefully crafting attacks and testing them across multiple targets. Once a campaign is identified, good defenders and traditional security solutions quickly update their defenses with new threat intelligence, rules, and signatures. However, APTs have the resources to rapidly adapt – spinning up new infrastructure, modifying payloads and altering their attack footprint to evade detection.
This is where Darktrace / EMAIL excels. Only by analyzing each user, message and interaction can an email security solution hope to catch the types of highly-sophisticated attacks that have the potential to cause major reputational and financial damage. Darktrace / EMAIL ensures that even the most subtle threats are detected and blocked with autonomous response, before causing impact – helping organizations remain one step ahead of increasingly adaptive threat actors.
Discover the most advanced cloud-native AI email security solution to protect your domain and brand while preventing phishing, novel social engineering, business email compromise, account takeover, and data loss.
Gain up to 13 days of earlier threat detection and maximize ROI on your current email security
Experience 20-25% more threat blocking power with Darktrace / EMAIL
Stop the 58% of threats bypassing traditional email security