Blog
/
OT
/
February 9, 2022

The Impact of Conti Ransomware on OT Systems

Learn how ransomware can spread throughout converged IT/OT environments, and how Self-Learning AI empowers organizations to contain these threats.
Written by
Oakley Cox
Director of Product
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oakley Cox
Director of Product
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
09
Feb 2022

Ransomware has taken the world by storm, and IT is not the only technology affected. Operational Technology (OT), which is increasingly blending with IT, is also susceptible to ransomware tactics, techniques, and procedures (TTPs). And when ransomware strikes OT, the effects have the potential to be devastating.

Here, we will look at a ransomware attack that spread from IT to OT systems. The attack was detected by Darktrace AI.

This threat find demonstrates a use case of Darktrace’s technology that delivers immense value to organizations with OT: spotting and stopping ransomware at its earliest stages, before the damage is done. This is particularly helpful for organizations with interconnected enterprise and industrial environments, as it means:

  1. Emerging attacks can be contained in IT before they spread laterally into OT, and even before they spread from device to device in IT;
  2. Organizations gain granular visibility into their industrial environments, detecting deviations from normal activity, and quick identification of remediating actions.

Threat find: Ransomware and crypto-mining hijack affecting IT and OT systems

Darktrace recently identified an aggressive attack targeting an OT R&D investment firm in EMEA. The attack originally started as a crypto-mining campaign and later evolved into ransomware. This organization deployed Darktrace in a digital estate containing both IT and OT assets that spanned over 3,000 devices.

If the organization had deployed Darktrace’s Autonomous Response technology in active mode, this threat would have been stopped in its earliest stages. Even in the absence of Autonomous Response, however, mere human attention would have stopped this attack’s progression. Darktrace’s Self-Learning AI gave clear indications of an ongoing compromise in the month prior to the detonation of ransomware. In this case, however, the security team was not monitoring Darktrace’s interface, and so the attack was allowed to proceed.

Compromised OT devices

This threat find will focus on the attack techniques used to take over two OT devices, specifically, a HMI (human machine interface), and an ICS Historian used to collect and log industrial data. These OT devices were both VMware virtual machines running Windows OS, and were compromised as part of a wider Conti ransomware infection. Both devices were being used primarily within an industrial control system (ICS), running a popular ICS software package and making regular connections to an industrial cloud platform.

These devices were thus part of an ICSaaS (ICS-as-a-Service) environment, using virtualised and Cloud platforms to run analytics, update threat intelligence, and control the industrial process. As previously highlighted by Darktrace, the convergence of cloud and ICS increases a network’s attack surface and amplifies cyber risk.

Attack lifecycle

Opening stages

The initial infection of the OT devices occurred when a compromised Domain Controller (DC) made unusual Active Directory requests. The devices made subsequent DCE-RPC binds for epmapper, often used by attackers for command execution, and lsarpc, used by attackers to abuse authentication policies and escalate privileges.

The payload was delivered when the OT devices used SMB to connect to the sysvol folder on the DC and read a malicious executable file, called SetupPrep.exe.

Figure 1: Darktrace model breaches across the whole network from initial infection on October 21 to the detonation on November 15.

Figure 2: ICS reads on the HMI in the lead up, during, and following detonation of the ransomware.

Device encryption and lateral spread

The malicious payload remained dormant on the OT devices for three weeks. It seems the attacker used the time to install crypto-mining malware elsewhere on the network and consolidate their foothold.

On the day the ransomware detonated, the attacker used remote management tools to initiate encryption. The PSEXEC tool was used on an infected server (separate from the original DC) to remotely execute malicious .dll files on the compromised OT devices.

The devices then attempted to make command and control (C2) connections to rare external endpoints using suspicious ports. Like in many ICS networks, sufficient network segregation had been implemented to prevent the HMI device from making successful connections to the Internet and the C2 communications failed. But worryingly, the failed C2 did not prevent the attack from proceeding or the ransomware from detonating.

The Historian device made successful C2 connections to around 40 unique external endpoints. Darktrace detected beaconing-type behavior over suspicious TCP/SSL ports including 465, 995, 2078, and 2222. The connections were made to rare destination IP addresses that did not specify the Server Name Indication (SNI) extension hostname and used self-signed and/or expired SSL certificates.

Both devices enumerated network SMB shares and wrote suspicious shell scripts to network servers. Finally, the devices used SMB to encrypt files stored in network shares, adding a file extension which is likely to be unique to this victim and which will be called ABCXX for the purpose of this blog. Most encrypted files were uploaded to the folder in which the file was originally located, but in some instances were moved to the images folder.

During the encryption, the device was using the machine account to authenticate SMB sessions. This is in contrast to other ransomware incidents that Darktrace has observed, in which admin or service accounts are compromised and abused by the attacker. It is possible that in this instance the attacker was able to use ‘Living off the Land’ techniques (for example the use of lsarpc pipe) to give the machine account admin privileges.

Examples of files being encrypted and moved:

  • SMB move success
  • File: new\spbr0007\0000006A.bak
  • Renamed: new\spbr0007\0000006A.bak.ABCXX
  • SMB move success
  • File: ActiveMQ\readme.txt
  • Renamed: Images\10j0076kS1UA8U975GC2e6IY.488431411265952821382.png.ABCXX

Detonation of ransomware

Upon detonation, the ransomware note readme.txt was written by the ICS to targeted devices as part of the encryption activity.

The final model breached by the device was “Unresponsive ICS Device” as the device either stopped working due to the effects of the ransomware, or was removed from the network.

Figure 3: abc-histdev — external connections filtered on destination port 995 shows C2 connections starting around one hour before encryption began.

How the attack bypassed the rest of the security stack

In this threat find, there were a number of factors which resulted in the OT devices becoming compromised.

The first is IT/OT convergence. The ICS network was insufficiently segregated from the corporate network. This means that devices could be accessed by the compromised DC during the lateral movement stage of the attack. As OT becomes more reliant on IT, ensuring sufficient segregation is in place, or that an attacker can not circumvent such segregation, is becoming an ever increasing challenge for security teams.

Another reason is that the attacker used attack methods which leverage Living off the Land techniques to compromise devices with no discrimination as to whether they were part of an IT or OT network. Many of the machines used to operate ICS networks, including the devices highlighted here, rely on operating systems vulnerable to the kinds of TTPs observed here and that are regularly employed by ransomware groups.

Darktrace insights

Darktrace’s Cyber AI Analyst was able to stitch together many disparate forms of unusual activity across the compromised devices to give a clear security narrative containing details of the attack. The incident report for the Historian server is shown below. This provides a clear illustration of how Cyber AI Analyst can close any skills or communication gap between IT and OT specialists.

Figure 4: Cyber AI Analyst of the Historian server (abc-histdev). It investigated and reported the C2 communication (step 2) that started just before network reconnaissance using TCP scanning (step 3) and the subsequent file encryption over SMB (step 4).

In total, the attacker’s dwell time within the digital estate was 25 days. Unfortunately, it lead to disruption to operational technology, file encryption and financial loss. Altogether, 36 devices were crypto-mining for over 20 days – followed by nearly 100 devices (IT and OT) becoming encrypted following the detonation of the ransomware.

If it were active, Autonomous Response would have neutralized this activity, containing the damage before it could escalate into crisis. Darktrace’s Self-Learning AI gave clear indications of an ongoing compromise in the month prior to the detonation of ransomware, and so any degree of human attention toward Darktrace’s revelations would have stopped the attack.

Autonomous Response is highly configurable, and so, in industrial environments — whether air-gapped OT or converged IT/OT ecosystems — Antigena can be deployed in a variety of manners. In human confirmation mode, human operators need to give the green light before the AI takes action. Antigena can also be deployed only in the higher levels of the Purdue model, or the “IT in OT,” protecting the core assets from fast-moving attacks like ransomware.

Ransomware and interconnected IT/OT systems

ICS networks are often operated by machines that rely on operating systems which can be affected by TTPs regularly employed by ransomware groups — that is, TTPs such as Living off the Land, which do not discriminate between IT and OT.

The threat that ransomware poses to organizations with OT, including critical infrastructure, is so severe that the Cyber Infrastructure and Security Agency (CISA) released a fact sheet concerning these threats in the summer of 2021, noting the risk that IT attacks pose to OT networks:

“OT components are often connected to information technology (IT) networks, providing a path for cyber actors to pivot from IT to OT networks… As demonstrated by recent cyber incidents, intrusions affecting IT networks can also affect critical operational processes even if the intrusion does not directly impact an OT network.”

Major ransomware attacks against the Colonial Pipeline and JBS Foods demonstrate the potential for ransomware affecting OT to cause severe economic disruption on a national and international scale. And ransomware can wreak havoc on OT systems regardless of whether they directly target OT systems.

As industrial environments continue to converge and evolve — be they IT/OT, ICSaaS, or simply poorly segregated legacy systems — Darktrace stands ready to contain attacks before the damage is done. It is time for organizations with industrial environments to take the quantum leap forward that Darktrace’s Self-Learning AI is uniquely positioned to provide.

Thanks to Darktrace analysts Ash Brice and Andras Balogh for their insights on the above threat find.

Discover more on how Darktrace protects OT environments from ransomware

Darktrace model detections

HMI in chronological order at time of detonation:

  • Anomalous Connection / SMB Enumeration
  • Anomalous File / Internal / Unusual SMB Script Write
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compromise / Ransomware / Suspicious SMB Activity [Enhanced Monitoring]
  • ICS / Unusual Data Transfer By OT Device
  • ICS / Unusual Unresponsive ICS Device

Historian

  • ICS / Rare External from OT Device
  • Anomalous Connection / Anomalous SSL without SNI to New External
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • ICS / Unusual Activity From OT Device
  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Suspicious Activity On High Risk Device
  • Unusual Activity / SMB Access Failures
  • Device / Large Number of Model Breaches
  • ICS / Unusual Data Transfer By OT Device
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Device / SMB Lateral Movement
  • Compromise / Ransomware / Suspicious SMB Activity [Enhanced Monitoring]
  • Device / Multiple Lateral Movement Model Breaches [Enhanced Monitoring]

Written by
Oakley Cox
Director of Product
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oakley Cox
Director of Product

ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval

Endpoint
January 30, 2026
Vivek Rajan
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
OT
November 20, 2025

Managing OT Remote Access with Zero Trust Control & AI Driven Detection

A forward-looking breakdown of why modern OT environments can’t rely on visibility alone, and how combining Zero Trust access control with AI-driven behavioral detection gives industrial organizations real-time oversight, accountability, and secure remote access without disrupting operations.
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Read more
OT
September 30, 2025

Redefining OT security with dedicated OT workflows & NEXT-gen visibility for industrial teams

The latest release of Darktrace / OT brings powerful new innovations to security teams defending industrial infrastructure. With a dedicated OT dashboard, segmentation-aware risk modeling, and expanded visibility into edge assets and automation protocols, Darktrace / OT empowers engineers and defenders with the context and control they need to protect today’s converged environments, from IT to the industrial edge.
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Read more
OT
September 4, 2025

Rethinking Signature-Based Detection for Power Utility Cybersecurity

Signature-based detection has been a mainstay of IT security for decades, but the unique realities of operational technology (OT) environments make it a poor return on investment for power utilities. While signatures can still provide value for commodity IT malware, they fail against insider misuse, zero-day exploits, and custom-built malware designed for grid operations. Historical evidence shows signatures rarely generalize across different utilities, and overreliance creates strategic blind spots. To effectively defend critical energy infrastructure, utilities should prioritize behavioral analytics, anomaly detection, and intelligence sharing across the community.
Daniel Simonds
Director of Operational Technology
Read more

Blog

/

Endpoint

/

January 30, 2026

ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval

fake captcha to blockchain driven palyload retrievalDefault blog imageDefault blog image

What is ClearFake?

As threat actors evolve their techniques to exploit victims and breach target networks, the ClearFake campaign has emerged as a significant illustration of this continued adaptation. ClearFake is a campaign observed using a malicious JavaScript framework deployed on compromised websites, impacting sectors such as e‑commerce, travel, and automotive. First identified in mid‑2023, ClearFake is frequently leveraged to socially engineer victims into installing fake web browser updates.

In ClearFake compromises, victims are steered toward compromised WordPress sites, often positioned by attackers through search engine optimization (SEO) poisoning. Once on the site, users are presented with a fake CAPTCHA. This counterfeit challenge is designed to appear legitimate while enabling the execution of malicious code. When a victim interacts with the CAPTCHA, a PowerShell command containing a download string is retrieved and executed.

Attackers commonly abuse the legitimate Microsoft HTML Application Host (MSHTA) in these operations. Recent campaigns have also incorporated Smart Chain endpoints, such as “bsc-dataseed.binance[.]org,” to obtain configuration code. The primary payload delivered through ClearFake is typically an information stealer, such as Lumma Stealer, enabling credential theft, data exfiltration, and persistent access [1].

Darktrace’s Coverage of ClearFake

Darktrace / ENDPOINT first detected activity likely associated with ClearFake on a single device on over the course of one day on November 18, 2025. The system observed the execution of “mshta.exe,” the legitimate Microsoft HTML Application Host utility. It also noted a repeated process command referencing “weiss.neighb0rrol1[.]ru”, indicating suspicious external activity. Subsequent analysis of this endpoint using open‑source intelligence (OSINT) indicated that it was a malicious, domain generation algorithm (DGA) endpoint [2].

The process line referencing weiss.neighb0rrol1[.]ru, as observed by Darktrace / ENDPOINT.
Figure 1: The process line referencing weiss.neighb0rrol1[.]ru, as observed by Darktrace / ENDPOINT.

This activity indicates that mshta.exe was used to contact a remote server, “weiss.neighb0rrol1[.]ru/rpxacc64mshta,” and execute the associated HTA file to initiate the next stage of the attack. OSINT sources have since heavily flagged this server as potentially malicious [3].

The first argument in this process uses the MSHTA utility to execute the HTA file hosted on the remote server. If successful, MSHTA would then run JavaScript or VBScript to launch PowerShell commands used to retrieve malicious payloads, a technique observed in previous ClearFake campaigns. Darktrace also detected unusual activity involving additional Microsoft executables, including “winlogon.exe,” “userinit.exe,” and “explorer.exe.” Although these binaries are legitimate components of the Windows operating system, threat actors can abuse their normal behavior within the Windows login sequence to gain control over user sessions, similar to the misuse of mshta.exe.

EtherHiding cover

Darktrace also identified additional ClearFake‑related activity, specifically a connection to bsc-testnet.drpc[.]org, a legitimate BNB Smart Chain endpoint. This activity was triggered by injected JavaScript on the compromised site www.allstarsuae[.]com, where the script initiated an eth_call POST request to the Smart Chain endpoint.

Example of a fake CAPTCHA on the compromised site www.allstarsuae[.]com.
Figure 2: Example of a fake CAPTCHA on the compromised site www.allstarsuae[.]com.

EtherHiding is a technique in which threat actors leverage blockchain technology, specifically smart contracts, as part of their malicious infrastructure. Because blockchain is anonymous, decentralized, and highly persistent, it provides threat actors with advantages in evading defensive measures and traditional tracking [4].

In this case, when a user visits a compromised WordPress site, injected base64‑encoded JavaScript retrieved an ABI string, which was then used to load and execute a contract hosted on the BNB Smart Chain.

JavaScript hosted on the compromised site www.allstaruae[.]com.
Figure 3: JavaScript hosted on the compromised site www.allstaruae[.]com.

Conducting malware analysis on this instance, the Base64 decoded into a JavaScript loader. A POST request to bsc-testnet.drpc[.]org was then used to retrieve a hex‑encoded ABI string that loads and executes the contract. The JavaScript also contained hex and Base64‑encoded functions that decoded into additional JavaScript, which attempted to retrieve a payload hosted on GitHub at “github[.]com/PrivateC0de/obf/main/payload.txt.” However, this payload was unavailable at the time of analysis.

Darktrace’s detection of the POST request to bsc-testnet.drpc[.]org.
Figure 4: Darktrace’s detection of the POST request to bsc-testnet.drpc[.]org.
Figure 5: Darktrace’s detection of the executable file and the malicious hostname.

Autonomous Response

As Darktrace’s Autonomous Response capability was enabled on this customer’s network, Darktrace was able to take swift mitigative action to contain the ClearFake‑related activity early, before it could lead to potential payload delivery. The affected device was blocked from making external connections to a number of suspicious endpoints, including 188.114.96[.]6, *.neighb0rrol1[.]ru, and neighb0rrol1[.]ru, ensuring that no further malicious connections could be made and no payloads could be retrieved.

Autonomous Response also acted to prevent the executable mshta.exe from initiating HTA file execution over HTTPS from this endpoint by blocking the attempted connections. Had these files executed successfully, the attack would likely have resulted in the retrieval of an information stealer, such as Lumma Stealer.

Autonomous Response’s intervention against the suspicious connectivity observed.
Figure 6: Autonomous Response’s intervention against the suspicious connectivity observed.

Conclusion

ClearFake continues to be observed across multiple sectors, but Darktrace remains well‑positioned to counter such threats. Because ClearFake’s end goal is often to deliver malware such as information stealers and malware loaders, early disruption is critical to preventing compromise. Users should remain aware of this activity and vigilant regarding fake CAPTCHA pop‑ups. They should also monitor unusual usage of MSHTA and outbound connections to domains that mimic formats such as “bsc-dataseed.binance[.]org” [1].

In this case, Darktrace was able to contain the attack before it could successfully escalate and execute. The attempted execution of HTA files was detected early, allowing Autonomous Response to intervene, stopping the activity from progressing. As soon as the device began communicating with weiss.neighb0rrol1[.]ru, an Autonomous Response inhibitor triggered and interrupted the connections.

As ClearFake continues to rise, users should stay alert to social engineering techniques, including ClickFix, that rely on deceptive security prompts.

Credit to Vivek Rajan (Senior Cyber Analyst) and Tara Gould (Malware Research Lead)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

Process / New Executable Launched

Endpoint / Anomalous Use of Scripting Process

Endpoint / New Suspicious Executable Launched

Endpoint / Process Connection::Unusual Connection from New Process

Autonomous Response Models

Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

List of Indicators of Compromise (IoCs)

  • weiss.neighb0rrol1[.]ru – URL - Malicious Domain
  • 188.114.96[.]6 – IP – Suspicious Domain
  • *.neighb0rrol1[.]ru – URL – Malicious Domain

MITRE Tactics

Initial Access, Drive-by Compromise, T1189

User Execution, Execution, T1204

Software Deployment Tools, Execution and Lateral Movement, T1072

Command and Scripting Interpreter, T1059

System Binary Proxy Execution: MSHTA, T1218.005

References

1.        https://www.kroll.com/en/publications/cyber/rapid-evolution-of-clearfake-delivery

2.        https://www.virustotal.com/gui/domain/weiss.neighb0rrol1.ru

3.        https://www.virustotal.com/gui/file/1f1aabe87e5e93a8fff769bf3614dd559c51c80fc045e11868f3843d9a004d1e/community

4.        https://www.packetlabs.net/posts/etherhiding-a-new-tactic-for-hiding-malware-on-the-blockchain/

Continue reading
About the author
Vivek Rajan
Cyber Analyst

Blog

/

Network

/

January 30, 2026

The State of Cybersecurity in the Finance Sector: Six Trends to Watch

Default blog imageDefault blog image

The evolving cybersecurity threat landscape in finance

The financial sector, encompassing commercial banks, credit unions, financial services providers, and cryptocurrency platforms, faces an increasingly complex and aggressive cyber threat landscape. The financial sector’s reliance on digital infrastructure and its role in managing high-value transactions make it a prime target for both financially motivated and state-sponsored threat actors.

Darktrace’s latest threat research, The State of Cybersecurity in the Finance Sector, draws on a combination of Darktrace telemetry data from real-world customer environments, open-source intelligence, and direct interviews with financial-sector CISOs to provide perspective on how attacks are unfolding and how defenders in the sector need to adapt.  

Six cybersecurity trends in the finance sector for 2026

1. Credential-driven attacks are surging

Phishing continues to be a leading initial access vector for attacks targeting confidentiality. Financial institutions are frequently targeted with phishing emails designed to harvest login credentials. Techniques including Adversary-in-The-Middle (AiTM) to bypass Multi-factor Authentication (MFA) and QR code phishing (“quishing”) are surging and are capable of fooling even trained users. In the first half of 2025, Darktrace observed 2.4 million phishing emails within financial sector customer deployments, with almost 30% targeted towards VIP users.  

2. Data Loss Prevention is an increasing challenge

Compliance issues – particularly data loss prevention -- remain a persistent risk. In October 2025 alone, Darktrace observed over 214,000 emails across financial sector customers that contained unfamiliar attachments and were sent to suspected personal email addresses highlighting clear concerns around data loss prevention. Across the same set of customers within the same time frame, more than 351,000 emails containing unfamiliar attachments were sent to freemail addresses (e.g. gmail, yahoo, icloud), highlighting clear concerns around DLP.  

Confidentiality remains a primary concern for financial institutions as attackers increasingly target sensitive customer data, financial records, and internal communications.  

3. Ransomware is evolving toward data theft and extortion

Ransomware is no longer just about locking systems, it’s about stealing data first and encrypting second. Groups such as Cl0p and RansomHub now prioritize exploiting trusted file-transfer platforms to exfiltrate sensitive data before encryption, maximizing regulatory and reputational fallout for victims.  

Darktrace’s threat research identified routine scanning and malicious activity targeting internet-facing file-transfer systems used heavily by financial institutions. In one notable case involving Fortra GoAnywhere MFT, Darktrace detected malicious exploitation behavior six days before the CVE was publicly disclosed, demonstrating how attackers often operate ahead of patch cycles

This evolution underscores a critical reality: by the time a vulnerability is disclosed publicly, it may already be actively exploited.

4. Attackers are exploiting edge devices, often pre-disclosure.  

VPNs, firewalls, and remote access gateways have become high-value targets, and attackers are increasingly exploiting them before vulnerabilities are publicly disclosed. Darktrace observed pre-CVE exploitation activity affecting edge technologies including Citrix, Palo Alto, and Ivanti, enabling session hijacking, credential harvesting, and privileged lateral movement into core banking systems.  

Once compromised, these edge devices allow adversaries to blend into trusted network traffic, bypassing traditional perimeter defenses. CISOs interviewed for the report repeatedly described VPN infrastructure as a “concentrated focal point” for attackers, especially when patching and segmentation lag behind operational demands.

5. DPRK-linked activity is growing across crypto and fintech.  

State-sponsored activity, particularly from DPRK-linked groups affiliated with Lazarus, continues to intensify across cryptocurrency and fintech organizations. Darktrace identified coordinated campaigns leveraging malicious npm packages, previously undocumented BeaverTail and InvisibleFerret malware, and exploitation of React2Shell (CVE-2025-55182) for credential theft and persistent backdoor access.  

Targeting was observed across the United Kingdom, Spain, Portugal, Sweden, Chile, Nigeria, Kenya, and Qatar, highlighting the global scope of these operations.  

6. Cloud complexity and AI governance gaps are now systemic risks.  

Finally, CISOs consistently pointed to cloud complexity, insider risk from new hires, and ungoverned AI usage exposing sensitive data as systemic challenges. Leaders emphasized difficulty maintaining visibility across multi-cloud environments while managing sensitive data exposure through emerging AI tools.  

Rapid AI adoption without clear guardrails has introduced new confidentiality and compliance risks, turning governance into a board-level concern rather than a purely technical one.

Building cyber resilience in a shifting threat landscape

The financial sector remains a prime target for both financially motivated and state-sponsored adversaries. What this research makes clear is that yesterday’s security assumptions no longer hold. Identity attacks, pre-disclosure exploitation, and data-first ransomware require adaptive, behavior-based defenses that can detect threats as they emerge, often ahead of public disclosure.

As financial institutions continue to digitize, resilience will depend on visibility across identity, edge, cloud, and data, combined with AI-driven defense that learns at machine speed.  

Learn more about the threats facing the finance sector, and what your organization can do to keep up in The State of Cybersecurity in the Finance Sector report here.  

Acknowledgements:

The State of Cybersecurity in the Finance sector report was authored by Calum Hall, Hugh Turnbull, Parvatha Ananthakannan, Tiana Kelly, and Vivek Rajan, with contributions from Emma Foulger, Nicole Wong, Ryan Traill, Tara Gould, and the Darktrace Threat Research and Incident Management teams.

[related-resource]  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI