Blog
/
/
December 21, 2020

How AI Stopped a WastedLocker Ransomware Intrusion & Fast

Stop WastedLocker ransomware in its tracks with Darktrace AI technology. Learn about how AI detected a recent attack using 'Living off the Land' techniques.
Written by
Max Heinemeyer
Global Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
21
Dec 2020

Since first being discovered in May 2020, WastedLocker has made quite a name for itself, quickly becoming an issue for businesses and cyber security firms around the world. WastedLocker is known for its sophisticated methods of obfuscation and steep ransom demands.

Its use of ‘Living off the Land’ techniques makes a WastedLocker attack extremely difficult for legacy security tools to detect. An ever-decreasing dwell time – the time between initial intrusion and final execution – means human responders alone struggle to contain the ransomware variant before damage is done.

This blog examines the anatomy of a WastedLocker intrusion that targeted a US agricultural organization in December. Darktrace’s AI detected and investigated the incident in real time, and we can see how Darktrace RESPOND would have autonomously taken action to stop the attack before encryption had begun.

As ransomware dwell time shrinks to hours rather than days, security teams are increasingly relying on artificial intelligence to stop threats from escalating at the earliest signs of compromise – containing attacks even when they strike at night or on the weekend.

How the WastedLocker attack unfolded

Figure 1: A timeline of the attack

Initial intrusion

The initial infection appears to have taken place when an employee was deceived into downloading a fake browser update. Darktrace AI was monitoring the behavior of around 5,000 devices at the organization, continuously adapting its understanding of the evolving ‘pattern of life’. It detected the first signs of a threat when a virtual desktop device started making HTTP and HTTPS connections to external destinations that were deemed unusual for the organization. The graph below depicts how the patient zero device exhibited a spike in internal connections around December 4.

Figure 2: The patient zero device exhibiting a spike in internal connections, with orange dots indicating model breaches of varying severity

Reconnaissance

Attempted reconnaissance began just 11 minutes after the initial intrusion. Again, Darktrace immediately picked up on the activity, detecting unusual ICMP ping scans and targeted address scans on ports 135, 139 and 445; presumably as the attacker looked for potential further Windows targets. The below demonstrates the scanning detections based on the unusual number of new failed connections.

Figure 3: Darktrace detecting an unusual number of failed connections

Lateral movement

The attacker used an existing administrative credential to authenticate against a Domain Controller, initiating new service control over SMB. Darktrace picked this up immediately, identifying it as unusual behavior.

Figure 4: Darktrace identifying the DCE-RPC requests
Figure 5: Darktrace surfacing the SMB writes

Several hours later – and in the early hours of the morning – the attacker used a temporary admin account ‘tempadmin’ to move to another Domain Controller over SMB. Darktrace instantly detected this as it was highly unusual to use a temporary admin account to connect from a virtual desktop to a Domain Controller.

Figure 6: Further anomalous connections detected the following day

Lock and load: WastedLocker prepares to strike

During the beaconing activity, the attacker also conducted internal reconnaissance and managed to establish successful administrative and remote connections to other internal devices by using tools already present. Soon after, a transfer of suspicious .csproj files was detected by Darktrace, and at least four other devices began exhibiting similar command and control (C2) communications.

However, with Darktrace’s real-time detections – and Cyber AI Analyst investigating and reporting on the incident in a number of minutes, the security team were able to contain the attack, taking the infected devices offline.

Automated investigations with Cyber AI Analyst

Darktrace’s Cyber AI Analyst launched an automatic investigation around every anomaly detection, forming hypotheses, asking questions about its own findings, and forming accurate answers at machine speed. It then generated high-level, intuitive incident summaries for the security team. Over the 48 hour period, the AI Analyst surfaced just six security incidents in total, with three of these directly relating to the WastedLocker intrusion.

Figure 7: The Cyber AI Analyst threat tray

The snapshot below shows a VMWare device (patient zero) making repeated external connections to rare destinations, scanning the network and using new admin credentials.

Figure 8: Cyber AI Analyst investigates

Darktrace RESPOND: AI that responds when the security team cannot

Darktrace RESPOND – the world’s first and only Autonomous Response technology – was configured in passive mode, meaning it did not actively interfere with the attack, but if we dive back into the Threat Visualizer we can see that Antigena in fully autonomous mode would have responded to the attack at this early stage, buying the security team valuable time.

In this case, after the initial unusual SSL C2 detection (based on a combination of destination rarity, JA3 unusualness and frequency analysis), RESPOND (formerly known as 'Antigena', as shown in the screenshots below) suggested instantly blocking the C2 traffic on port 443 and parallel internal scanning on port 135.

Figure 9: The Threat Visualizer reveals the action Antigena would have taken

When beaconing was later observed to bywce.payment.refinedwebs[.]com, this time over HTTP to /updateSoftwareVersion, RESPOND escalated its response by blocking the further C2 channels.

Figure 10: Antigena escalates its response

The vast majority of response tools rely on hard-coded, pre-defined rules, formulated as ‘If X, do Y’. This can lead to false positives that unnecessarily take devices offline and hamper productivity. Darktrace RESPOND's actions are proportionate, bespoke to the organization, and not created in advance. Darktrace Antigena autonomously chose what to block and the severity of the blocks based on the context of the intrusion, without a human pre-eminently hard-coding any commands or set responses.

Every response over the 48 hours was related to the incident – RESPOND did not try to take action on anything else during the intrusion period. It simply would have actioned a surgical response to contain the threat, while allowing the rest of the business to carry on as usual. There were a total of 59 actions throughout the incident time period – excluding the ‘Watched Domain Block’ actions shown below – which are used during incident response to proactively shut down C2 communication.

Figure 11: All Antigena action attempts during the intrusion period across the whole organization

RESPOND would have delivered those blocks via whatever integration is most suitable for the organization – whether that be Firewall integrations, NACL integrations or other native integrations. The technology would have blocked the malicious activity on the relevant ports and protocols for several hours – surgically interrupting the threat actors’ intrusion activity, thus preventing further escalation and giving the security team air cover.

Stopping WastedLocker ransomware before encryption ensues

This attack used many notable Tools, Techniques and Procedures (TTPs) to bypass signature-based tools. It took advantage of ‘Living off the Land’ techniques, including Windows Management Instrumentation (WMI), Powershell, and default admin credential use. Only one of the involved C2 domains had a single hit on Open Source Intelligence Lists (OSINT); the others were unknown at the time. The C2 was also encrypted with legitimate Thawte SSL Certificates.

For these reasons, it is plausible that without Darktrace in place, the ransomware would have been successful in encrypting files, preventing business operations at a critical time and possibly inflicting huge financial and reputational losses to the organization in question.

Darktrace’s AI detects and stops ransomware in its tracks without relying on threat intelligence. Ransomware has thrived this year, with attackers constantly coming up with new attack TTPs. However, the above threat find demonstrates that even targeted, sophisticated strains of ransomware can be stopped with AI technology.

Thanks to Darktrace analyst Signe Zaharka for her insights on the above threat find.

Learn more about Autonomous Response

Darktrace model detections:

  • Compliance / High Priority Compliance Model Breach
  • Compliance / Weak Active Directory Ticket Encryption
  • Anomalous Connection / Cisco Umbrella Block Page
  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Compliance / Default Credential Usage
  • Compromise / Suspicious TLS Beaconing To Rare External
  • Anomalous Server Activity / Rare External from Server
  • Device / Lateral Movement and C2 Activity
  • Compromise / SSL Beaconing to Rare Destination
  • Device / New or Uncommon WMI Activity
  • Compromise / Watched Domain
  • Antigena / Network / External Threat / Antigena Watched Domain Block
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / Slow Beaconing Activity To External Rare
  • Device / Multiple Lateral Movement Model Breaches
  • Compromise / High Volume of Connections with Beacon Score
  • Device / Large Number of Model Breaches
  • Compromise / Beaconing Activity To External Rare
  • Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach
  • Anomalous Connection / New or Uncommon Service Control
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Compromise / SSL or HTTP Beacon
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Compromise / Sustained SSL or HTTP Increase
  • Unusual Activity / Unusual Internal Connections
  • Device / ICMP Address Scan

Written by
Max Heinemeyer
Global Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO

How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2

Network
April 21, 2026
Joanna Ng
Associate Principal Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
State of AI Cybersecurity 2026: 92% of security professionals concerned about the impact of AI agents
Mar 26, 2026
4
Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace
Dec 15, 2025
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
No items found.

Blog

/

AI

/

April 28, 2026

State of AI Cybersecurity 2026: 87% of security professionals are seeing more AI-driven threats, but few feel ready to stop them

Default blog imageDefault blog image

The findings in this blog are taken from Darktrace’s annual State of AI Cybersecurity Report 2026.

In part 1 of this blog series, we explored how AI is remaking the attack surface, with new tools, models, agents — and vulnerabilities — popping up just about everywhere. Now embedded in workflows across the enterprise, and often with far-reaching access to sensitive data, AI systems are quickly becoming a favorite target of cyber threat actors.

Among bad actors, though, AI is more often used as a tool than a target. Nearly 62% of organizations  experienced a social engineering attack involving a deepfake, or an incident in which bad actors used AI-generated video or audio to try to trick a biometric authentication system, compared to 32% that reported an AI prompt injection attack.

In the hands of attackers, AI can do many things. It’s being used across the entire kill chain: to supercharge reconnaissance, personalize phishing, accelerate lateral movement, and automate data exfiltration. Evidence from Anthropic demonstrates that threat actors have harnessed AI to orchestrate an entire cyber espionage campaign from end to end, allegedly running it with minimal human involvement.

CISOs inhabit a world where these increasingly sophisticated attacks are ubiquitous. Naturally, combatting AI-powered threats is top of mind among security professionals, but many worry about whether their capabilities are up to the challenge.

AI-powered threats at scale: no longer hypothetical

AI-driven threats share signature characteristics. They operate at speed and scale. Automated tools can probe multiple attack paths, search for multiple vulnerabilities and send out a barrage of phishing emails, all within seconds. The ability to attack everywhere at once, at a pace that no human operator could sustain, is the hallmark of an AI-powered threat. AI-powered threats are also dynamic. They can adapt their behavior to spread across a network more efficiently or rewrite their own code to evade detection.

Security teams are seeing the signs that they’re fighting AI-powered threats at every stage of the kill chain, and the sophistication of these threats is testing their resolve and their resources.

  • 73% say that AI-powered cyber threats are having a significant impact on their organization
  • 92% agree that these threats are forcing them to upgrade their defenses
  • 87% agree that AI is significantly increasing the sophistication and success rate of malware
  • 87% say AI is significantly increasing the workload of their security operations team

These teams now confront a challenge unlike anything they’ve seen before in their careers, and the risks are compounding across workflows, tools, data, and identities. It’s no surprise that 66% of security professionals say their role is more stressful today than it was five years ago, or that 47% report feeling overwhelmed at work.

Up all night: Security professionals’ worry list is long

Traditional security methods were never built to handle the complexity and subtlety of AI-driven behavior. Working in the trenches, defenders have deep firsthand experience of how difficult it can be to detect and stop AI-assisted threats.

Increasingly effective social engineering attacks are among their top concerns. 50% of security leaders mentioned hyper-personalized phishing campaigns as one of their biggest worries, while 40% voiced apprehension about deepfake voice fraud. These concerns are legitimate: AI-generated phishing emails are increasingly tailored to individual organizations, business activities, or individuals. Gone are the telltale signs – like grammar or spelling mistakes – that once distinguished malicious communications. Notably, 33% of the malicious emails Darktrace observed in 2025 contained over 1,000 characters, indicating probable LLM usage.

Security leaders also worry about how bad actors can leverage AI to make attacks even faster and more dynamic. 45% listed automated vulnerability scanning and exploit chaining among their biggest concerns, while 40% mentioned adaptive malware.

Confidence is lacking

Protecting against AI demands capabilities that many organizations have not yet built. It requires interpreting new indicators, uncovering the subtle intent within interactions, and recognizing when AI behavior – human or machine – could be suspicious. Leaders know that their current tools aren’t prepared for this. Nearly half don’t feel confident in their ability to defend against AI-powered attacks.

We’ve asked participants in our survey about their confidence for the last three years now. In 2024, 60% said their organizations were not adequately prepared to defend against AI-driven threats. Last year, that percentage shrunk to 45%, a possible indicator that security programs were making progress. Since then, however, the progress has apparently stalled. 46% of security leaders now feel inadequately prepared to protect their organizations amidst the current threat landscape.

Some of these differences are accentuated across different cultures. Respondents in Japan are far less confident (77% say they are not adequately prepared) than respondents in Brazil (where only 21% don’t feel prepared).

Where security programs are falling short

It’s no longer the case that cybersecurity is overlooked or underfunded by executive leadership. Across industries, management recognizes that AI-powered threats are a growing problem, and insufficient budget is near the bottom of most CISO’s list of reasons that they struggle to defend against AI-powered threats.  

It’s the things that money can’t buy – experience, knowledge, and confidence – that are holding programs back. Near the top of the list of inhibitors that survey participants mention is “insufficient knowledge or use of AI-driven countermeasures.” As bad actors embrace AI technologies en masse, this challenge is coming into clearer focus: attack-centric security tools, which rely on static rules, signatures, and historical attack patterns, were never designed to handle the complexity and subtlety of AI-driven attacks. These challenges feel new to security teams, but they are the core problems Darktrace was built to solve.  

Our Self-Learning AI develops a deep understanding of what “normal” looks like for your organization –including unique traffic patterns, end user habits, application and device profiles – so that it can detect and stop novel, dynamic threats at the first encounter. By focusing on learning the business, rather than the attack, our AI can keep pace with AI-powered threats as they evolve.

Explore the full State of AI Cybersecurity 2026 report for deeper insights into how security leaders are responding to AI-driven risks.

Learn more about securing AI in your enterprise.

[related-resource]

Continue reading
About the author
The Darktrace Community

Blog

/

Email

/

April 24, 2026

Email-Borne Cyber Risk: A Core Challenge for the CISO in the Age of Volume and Sophistication

Default blog imageDefault blog image

The challenge for CISOs

Despite continuous advances in security technologies, humans continue to be exploited by attackers. Credential abuse and social actions like phishing are major factors, accounting for around 60% of all breaches. These attacks rely less on technical vulnerabilities and more on exploiting human behavior and organizational processes. 

From my perspective as a former CISO, protecting humans concentrates three of today’s most pressing challenges: the sheer volume of email-based threats, their increasing sophistication, and the limitations of traditional employee awareness programs in moving the needle on risk. 

My personal experience of security awareness training as a CISO

With over 20 years’ experience as an ICT and Cybersecurity leader across various international organizations, I’ve seen security awareness training (SAT) in many guises. And while the cyber landscape is evolving in every direction, the effectiveness of SAT is reaching a plateau.  

Most programs I’ve seen follow a familiar pattern. Training is delivered through a combination of eLearning modules and internal sessions designed to reinforce IT policies. Employees are typically required to complete a slide deck or video, followed by a multiple-choice quiz. Occasional phishing simulations are distributed throughout the year.

The content is often static and unpersonalized, based on known threats that may already be outdated. Every employee regardless of role or risk exposure receives the same training and the same simulated phishing templates, from front-desk staff to the CEO.

The problem with traditional SAT programs

The issue with the approach to SAT outlined above is that the distribution of power is imbalanced. Humans will always be fallible, particularly when faced with increasingly sophisticated attacks. Providing generic, low-context training risks creating false confidence rather than genuine resilience. Let’s look at some of the problems in detail.

Timing and delivery

Employees today operate under constant cognitive load, making lots of rapid decisions every day to reduce their email volumes. Yet if employees are completing training annually, or on an ad hoc basis, it becomes a standalone occurrence rather than a continuous habit.  

As a result, retention is low. Employees often forget the lessons within weeks, a phenomenon known as the ‘Ebbinghaus Forgetting Curve.’

The graph illustrates that when you first learn something, the information disappears at an exponential rate without retention. In fact, according to the curve, you forget 50% of all new information within a day, and 90% of all new information within a week.  

Simultaneously, most training is conducted within a separate interface. Because it takes place away from the actual moment of decision-making, the "teachable moment" is lost. There is a cognitive disconnect between the action (clicking a link in Outlook) and the education (watching a video in a browser). 

People

In the context of professional risk management, the risks faced by different users are different. Static learning such as everyone receiving the same ‘Password Reset’ email doesn’t help users prepare for the specific threats they are likely to face. It also contributes to user fatigue, driven by repetitive training. And if users receive tests at the same time, news spreads among colleagues, hurting the efficacy of the test.  

Staff turnover introduces further risk. In many organizations, new employees gain access to systems before receiving meaningful training, reducing onboarding to little more than policy acknowledgment.

Measuring success

In my experience, solutions are standalone, without any correlation to other tools in the security stack. In some cases, the programs are delivered by HR rather than the security team, creating a complete silo.  

As a result, SAT is often perceived as a compliance exercise rather than a capability building function. The result is that poor-quality training does little to reduce the likelihood of compromise, regardless of completion rates or quiz performance.

What a modern SAT solution should look like

For today’s CISO, email represents the convergence point of high-volume, high-impact, and human-centric threats. Despite significant security investments, it remains one of the most difficult channels to secure effectively. Given these constraints, CISOs must evolve their approach to SAT.

Success lies in a balanced strategy one that combines advanced technology, attack surface reduction, and pragmatic user enablement, without over-relying on human vigilance as the final line of defense.

This means moving beyond traditional SAT toward continuous, contextual awareness, realistic simulations, and tight integration with security outcomes.

Three requirements for a modern SAT solution

  • Invisible protection: The optimum security solution is one that assists users without impeding their experience. The objective is to enhance human capabilities, rather than simply delivering a lecture. 
  • Real-time feedback: Rather than a monthly quiz, the ideal system would provide a prompt or warning when a user is about to engage with something suspicious. 
  • Positive culture: Shifting the focus away from a "gotcha" culture, which is a contributing factor to a resentment, and instead empowers employees to serve as "sensors" for the company. 

Discover how personalized security coaching can strengthen your human layer and make your email defenses more resilient. Explore Darktrace / Adaptive Human Defense.

Continue reading
About the author
Karim Benslimane
VP, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI