Blog
/
Network
/
June 2, 2025

Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response

Darktrace announces its Leader position in the inaugural Gartner® Magic Quadrant™ for Network Detection and Response (NDR).
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.
Man using darktrace security software on computerDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Jun 2025

Darktrace has been recognized as a Leader in the first ever Magic Quadrant™ for Network Detection and Response (NDR).

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. CIOs and CISOs can use this research to make informed decisions about NDR, which is evolving to offer broader threat detection. We encourage our customers to read the full report to get the complete picture.

Darktrace has also received accolades in other recent NDR leadership evaluations including IDC named as market share leader, and  KuppingerCole’s heralding us as an Overall Leader, Product Leader, Market Leader and Innovation Leader. We believe we have continued to be identified as a Leader due to the strength of our capabilities in NDR, driven by our unique application of AI in cybersecurity, continuous product innovation, and our ability to execute on a global scale to meet the evolving needs of our customers.

We’re proud of Darktrace’s unrivaled market, and ability to execute effectively in the network security market, reflecting our commitment to delivering high-quality, reliable solutions that meet the evolving needs of our customers.

Gartner MQ for NDR, NDR mq, Gartner NDR, Gartner best NDR solution
Gartner MQ for NDR

Why is Darktrace the market share leader and undisputed force in NDR?

Transforming network security and shifting to an AI-led SOC

Darktrace’s Self-Learning AITM understands normal for your entire network, intelligently detecting anomalies and containing sophisticated threats without historical attack data. This approach, based on advanced, unsupervised machine learning, enables Darktrace to catch novel, unknown and insider threats that traditional tools miss and other NDR vendors can’t detect. Darktrace has identified and contained attempted exploits of zero-day vulnerabilities up to 11 days before public disclosure.

We change SOC dynamics with our Cyber AI AnalystTM, which eliminates manual triage and investigation by contextualizing all relevant alerts across your environment, including third-party alerts, and performing end-to-end investigations at machine speed. Cyber AI Analyst gives your team the equivalent of 30 extra full time Level 2 analysts without the hiring overhead2, so you can shift your team away from manual, reactive workflows and uplift them to focus on more proactive tasks.

When combined, Darktrace Self-Learning AI and Cyber AI Analyst go far beyond the capabilities of traditional NDR approaches to completely transform your network security and help your teams operate at the speed and scale of AI.

Coverage across the extended IT enterprise and all-important OT devices

We believe the report validates the business-centric approach that Darktrace uses to deploy AI locally and train it solely on each unique environment, giving our customers tailored security outcomes without compromising on privacy.

This contrasts with other NDR vendors that require cloud connectivity to either deliver full functionality or to regularly update their globally trained models with the latest attack data. This capability is particularly sought after by organizations who are no longer just on-premise, have operational technology (OT) networks, or those that operate in classified environments.

Darktrace serves these organizations and industries by extending IT and unifying OT security within a single solution, reducing alert fatigue and accelerating alert investigation in industrial environments.

With Darktrace / NETWORK you can achieve:

  • Full visibility across your modern network, including on-premises, virtual networks, hybrid cloud, identities, remote workers and OT devices
  • Precision threat detection across your modern network to identify known, unknown and insider threats in real-time without relying on rules, signatures or threat intelligence,
  • 10x accelerated incident response times with agentic AI that uplifts your team and enables them to focus on more proactive tasks
  • Containment of threats with the first autonomous response solution proven to work in the enterprise, stopping attacks from progressing at the earliest stages with precise actions that avoid business disruption

Going beyond traditional NDR to build proactive network resilience

Darktrace does not just stop at threat detection, it helps you prevent threats from occurring and increase your resiliency for when attacks do happen. We help discover and prioritize up to 50% more risks across your environment and optimize incident response processes, reducing the impact of active cyber-attacks using an understanding of your data.

Attack path modeling: By leveraging attack path modeling and AI-driven risk validation, customers can close gaps before they’re exploited, focusing resources where they’ll have the greatest impact.

AI-driven playbooks and breach simulations: With AI-driven playbooks and realistic breach simulations, Darktrace helps your team practice response, strengthen processes, and reduce the impact of real-world incidents. You’re not just reacting; you’re proactively building long-term resilience.

Continued innovation in network security

Darktrace leads innovation in the NDR market with more than 200+ patents and active filings, covering a range of detection, response and AI techniques. Our AI Research Center is foundational to our ongoing innovation, including hundreds of R&D employees examining how AI can be applied to real-world problems and augment human teams.

Trusted by thousands of customers globally

Our commitment to innovation and patented Self-Learning AITM has protected organizations in all industries from known and novel attacks since 2013, bolstering network security and augmenting human teams for our 10,000 active customers across 110 countries. These organizations place a great deal of trust in Darktrace’s unique approach to cybersecurity and application of AI to detect and respond to threats across their modern network.

A new standard for NDR

Darktrace / NETWORK is not just another NDR tool; we are the most advanced network security platform in the industry that pushes beyond traditional capabilities to protect thousands of organizations against known and novel threats.

From real-time threat detection and autonomous response to proactive risk management, we’re transforming network security from reactive to resilient.

[related-resource]

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

References

1, 3 Gartner, Magic Quadrant for Network Detection and Response, by Thomas Lintemuth, Esraa ElTahawy, John Collins, Charanpal Bhogal, 29 May, 2025

2 Darktrace Cyber AI Analyst fleet data, 2023

Download your copy today

Read the Gartner® Magic Quadrant™ report & discover what it means to be recognized in NDR as a leader.

No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.

More in this series

No items found.

Blog

/

Identity

/

April 10, 2025

Bytesize Security: Insider Threats in Google Workspace

Default blog imageDefault blog image

What is an insider threat?

An insider threat is a cyber risk originating from within an organization. These threats can involve actions such as an employee inadvertently clicking on a malicious link (e.g., a phishing email) or an employee with malicious intent conducting data exfiltration for corporate sabotage.

Insiders often exploit their knowledge and access to legitimate corporate tools, presenting a continuous risk to organizations. Defenders must protect their digital estate against threats from both within and outside the organization.

For example, in the summer of 2024, Darktrace / IDENTITY successfully detected a user in a customer environment attempting to steal sensitive data from a trusted Google Workspace service. Despite the use of a legitimate and compliant corporate tool, Darktrace identified anomalies in the user’s behavior that indicated malicious intent.

Attack overview: Insider threat

In June 2024, Darktrace detected unusual activity involving the Software-as-a-Service (SaaS) account of a former employee from a customer organization. This individual, who had recently left the company, was observed downloading a significant amount of data in the form of a “.INDD” file (an Adobe InDesign document typically used to create page layouts [1]) from Google Drive.

While the use of Google Drive and other Google Workspace platforms was not unexpected for this employee, Darktrace identified that the user had logged in from an unfamiliar and suspicious IPv6 address before initiating the download. This anomaly triggered a model alert in Darktrace / IDENTITY, flagging the activity as potentially malicious.

A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.
Figure 1: A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.

Following this detection, the customer reached out to Darktrace’s Security Operations Center (SOC) team via the Security Operations Support service for assistance in triaging and investigating the incident further. Darktrace’s SOC team conducted an in-depth investigation, enabling the customer to identify the exact moment of the file download, as well as the contents of the stolen documents. The customer later confirmed that the downloaded files contained sensitive corporate data, including customer details and payment information, likely intended for reuse or sharing with a new employer.

In this particular instance, Darktrace’s Autonomous Response capability was not active, allowing the malicious insider to successfully exfiltrate the files. If Autonomous Response had been enabled, Darktrace would have immediately acted upon detecting the login from an unusual (in this case 100% rare) location by logging out and disabling the SaaS user. This would have provided the customer with the necessary time to review the activity and verify whether the user was authorized to access their SaaS environments.

Conclusion

Insider threats pose a significant challenge for traditional security tools as they involve internal users who are expected to access SaaS platforms. These insiders have preexisting knowledge of the environment, sensitive data, and how to make their activities appear normal, as seen in this case with the use of Google Workspace. This familiarity allows them to avoid having to use more easily detectable intrusion methods like phishing campaigns.

Darktrace’s anomaly detection capabilities, which focus on identifying unusual activity rather than relying on specific rules and signatures, enable it to effectively detect deviations from a user’s expected behavior. For instance, an unusual login from a new location, as in this example, can be flagged even if the subsequent malicious activity appears innocuous due to the use of a trusted application like Google Drive.

Credit to Vivek Rajan (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Get the latest insights on emerging cyber threats

Attackers are adapting, are you ready? This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025.

  • Identity-based attacks: How attackers are bypassing traditional defenses
  • Zero-day exploitation: The rise of previously unknown vulnerabilities
  • AI-driven threats: How adversaries are leveraging AI to outmaneuver security controls

Stay ahead of evolving threats with expert analysis from Darktrace. Download the report here.

Appendices

Darktrace Model Detections

SaaS / Resource::Unusual Download Of Externally Shared Google Workspace File

References

[1]https://www.adobe.com/creativecloud/file-types/image/vector/indd-file.html

MITRE ATT&CK Mapping

Technqiue – Tactic – ID

Data from Cloud Storage Object – COLLECTION -T1530

Continue reading
About the author
Vivek Rajan
Cyber Analyst

Blog

/

Network

/

April 18, 2025

RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal

Default blog imageDefault blog image

What is ShadowSyndicate?

ShadowSyndicate, also known as Infra Storm, is a threat actor reportedly active since July 2022, working with various ransomware groups and affiliates of ransomware programs, such as Quantum, Nokoyawa, and ALPHV. This threat actor employs tools like Cobalt Strike, Sliver, IcedID, and Matanbuchus malware in its attacks. ShadowSyndicate utilizes the same SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) on many of their servers—85 as of September 2023. At least 52 of these servers have been linked to the Cobalt Strike command and control (C2) framework [1].

What is RansomHub?

First observed following the FBI's takedown of ALPHV/BlackCat in December 2023, RansomHub quickly gained notoriety as a Ransomware-as-a-Service (RaaS) operator. RansomHub capitalized on the law enforcement’s disruption of the LockBit group’s operations in February 2024 to market themselves to potential affiliates who had previously relied on LockBit’s encryptors. RansomHub's success can be largely attributed to their aggressive recruitment on underground forums, leading to the absorption of ex-ALPHV and ex-LockBit affiliates. They were one of the most active ransomware operators in 2024, with approximately 500 victims reported since February, according to their Dedicated Leak Site (DLS) [2].

ShadowSyndicate and RansomHub

External researchers have reported that ShadowSyndicate had as many as seven different ransomware families in their arsenal between July 2022, and September 2023. Now, ShadowSyndicate appears to have added RansomHub’s their formidable stockpile, becoming an affiliate of the RaaS provider [1].

Darktrace’s analysis of ShadowSyndicate across its customer base indicates that the group has been leveraging RansomHub ransomware in multiple attacks in September and October 2024. ShadowSyndicate likely shifted to using RansomHub due to the lucrative rates offered by this RaaS provider, with affiliates receiving up to 90% of the ransom—significantly higher than the general market rate of 70-80% [3].

In many instances where encryption was observed, ransom notes with the naming pattern “README_[a-zA-Z0-9]{6}.txt” were written to affected devices. The content of these ransom notes threatened to release stolen confidential data via RansomHub’s DLS unless a ransom was paid. During these attacks, data exfiltration activity to external endpoints using the SSH protocol was observed. The external endpoints to which the data was transferred were found to coincide with servers previously associated with ShadowSyndicate activity.

Darktrace’s coverage of ShadowSyndicate and RansomHub

Darktrace’s Threat Research team identified high-confidence indicators of compromise (IoCs) linked to the ShadowSyndicate group deploying RansomHub. The investigation revealed four separate incidents impacting Darktrace customers across various sectors, including education, manufacturing, and social services. In the investigated cases, multiple stages of the kill chain were observed, starting with initial internal reconnaissance and leading to eventual file encryption and data exfiltration.

Attack Overview

Timeline attack overview of ransomhub ransomware

Internal Reconnaissance

The first observed stage of ShadowSyndicate attacks involved devices making multiple internal connection attempts to other internal devices over key ports, suggesting network scanning and enumeration activity. In this initial phase of the attack, the threat actor gathers critical details and information by scanning the network for open ports that might be potentially exploitable. In cases observed by Darktrace affected devices were typically seen attempting to connect to other internal locations over TCP ports including 22, 445 and 3389.

C2 Communication and Data Exfiltration

In most of the RansomHub cases investigated by Darktrace, unusual connections to endpoints associated with Splashtop, a remote desktop access software, were observed briefly before outbound SSH connections were identified.

Following this, Darktrace detected outbound SSH connections to the external IP address 46.161.27[.]151 using WinSCP, an open-source SSH client for Windows used for secure file transfer. The Cybersecurity and Infrastructure Security Agency (CISA) identified this IP address as malicious and associated it with ShadowSyndicate’s C2 infrastructure [4]. During connections to this IP, multiple gigabytes of data were exfiltrated from customer networks via SSH.

Data exfiltration attempts were consistent across investigated cases; however, the method of egress varied from one attack to another, as one would expect with a RaaS strain being employed by different affiliates. In addition to transfers to ShadowSyndicate’s infrastructure, threat actors were also observed transferring data to the cloud storage and file transfer service, MEGA, via HTTP connections using the ‘rclone’ user agent – a command-line program used to manage files on cloud storage. In another case, data exfiltration activity occurred over port 443, utilizing SSL connections.

Lateral Movement

In investigated incidents, lateral movement activity began shortly after C2 communications were established. In one case, Darktrace identified the unusual use of a new administrative credential which was quickly followed up with multiple suspicious executable file writes to other internal devices on the network.

The filenames for this executable followed the regex naming convention “[a-zA-Z]{6}.exe”, with two observed examples being “bWqQUx.exe” and “sdtMfs.exe”.

Cyber AI Analyst Investigation Process for the SMB Writes of Suspicious Files to Multiple Devices' incident.
Figure 1: Cyber AI Analyst Investigation Process for the SMB Writes of Suspicious Files to Multiple Devices' incident.

Additionally, script files such as “Defeat-Defender2.bat”, “Share.bat”, and “def.bat” were also seen written over SMB, suggesting that threat actors were trying to evade network defenses and detection by antivirus software like Microsoft Defender.

File Encryption

Among the three cases where file encryption activity was observed, file names were changed by adding an extension following the regex format “.[a-zA-Z0-9]{6}”. Ransom notes with a similar naming convention, “README_[a-zA-Z0-9]{6}.txt”, were written to each share. While the content of the ransom notes differed slightly in each case, most contained similar text. Clear indicators in the body of the ransom notes pointed to the use of RansomHub ransomware in these attacks. As is increasingly the case, threat actors employed double extortion tactics, threatening to leak confidential data if the ransom was not paid. Like most ransomware, RansomHub included TOR site links for communication between its "customer service team" and the target.

Figure 2: The graph shows the behavior of a device with encryption activity, using the “SMB Sustained Mimetype Conversion” and “Unusual Activity Events” metrics over three weeks.

Since Darktrace’s Autonomous Response capability was not enabled during the compromise, the ransomware attack succeeded in its objective. However, Darktrace’s Cyber AI Analyst provided comprehensive coverage of the kill chain, enabling the customer to quickly identify affected devices and initiate remediation.

Figure 3: Cyber AI Analyst panel showing the critical incidents of the affected device from one of the cases investigated.

In lieu of Autonomous Response being active on the networks, Darktrace was able to suggest a variety of manual response actions intended to contain the compromise and prevent further malicious activity. Had Autonomous Response been enabled at the time of the attack, these actions would have been quickly applied without any human interaction, potentially halting the ransomware attack earlier in the kill chain.

Figure 4: A list of suggested Autonomous Response actions on the affected devices."

Conclusion

The Darktrace Threat Research team has noted a surge in attacks by the ShadowSyndicate group using RansomHub’s RaaS of late. RaaS has become increasingly popular across the threat landscape due to its ease of access to malware and script execution. As more individual threat actors adopt RaaS, security teams are struggling to defend against the increasing number of opportunistic attacks.

For customers subscribed to Darktrace’s Security Operations Center (SOC) services, the Analyst team promptly investigated detections of the aforementioned unusual and anomalous activities in the initial infection phases. Multiple alerts were raised via Darktrace’s Managed Threat Detection to warn customers of active ransomware incidents. By emphasizing anomaly-based detection and response, Darktrace can effectively identify devices affected by ransomware and take action against emerging activity, minimizing disruption and impact on customer networks.

Credit to Kwa Qing Hong (Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore) and Signe Zahark (Principal Cyber Analyst, Japan)

[related-resource]

Appendices

Darktrace Model Detections

Antigena Models / Autonomous Response:

Antigena / Network / Insider Threat / Antigena Network Scan Block

Antigena / Network / Insider Threat / Antigena SMB Enumeration Block

Antigena / Network / Insider Threat / Antigena Internal Anomalous File Activity

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

Antigena / Network / External Threat / Antigena File then New Outbound Block


Network Reconnaissance:

Device / Network Scan

Device / ICMP Address Scan

Device / RDP Scan
Device / Anomalous LDAP Root Searches
Anomalous Connection / SMB Enumeration
Device / Spike in LDAP Activity

C2:

Enhanced Monitoring - Device / Lateral Movement and C2 Activity

Enhanced Monitoring - Device / Initial Breach Chain Compromise

Enhanced Monitoring - Compromise / Suspicious File and C2

Compliance / Remote Management Tool On Server

Anomalous Connection / Outbound SSH to Unusual Port


External Data Transfer:

Enhanced Monitoring - Unusual Activity / Enhanced Unusual External Data Transfer

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Data Sent to Rare Domain

Unusual Activity / Unusual External Data to New Endpoint

Compliance / SSH to Rare External Destination

Anomalous Connection / Application Protocol on Uncommon Port

Enhanced Monitoring - Anomalous File / Numeric File Download

Anomalous File / New User Agent Followed By Numeric File Download

Anomalous Server Activity / Outgoing from Server

Device / Large Number of Connections to New Endpoints

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

Anomalous Connection / Uncommon 1 GiB Outbound

Lateral Movement:

User / New Admin Credentials on Server

Anomalous Connection / New or Uncommon Service Control

Anomalous Connection / High Volume of New or Uncommon Service Control

Anomalous File / Internal / Executable Uploaded to DC

Anomalous Connection / Suspicious Activity On High Risk Device

File Encryption:

Compliance / SMB Drive Write

Anomalous File / Internal / Additional Extension Appended to SMB File

Compromise / Ransomware / Possible Ransom Note Write

Anomalous Connection / Suspicious Read Write Ratio

List of Indicators of Compromise (IoCs)

IoC - Type - Description + Confidence

83.97.73[.]198 - IP - Data exfiltration endpoint

108.181.182[.]143 - IP - Data exfiltration endpoint

46.161.27[.]151 - IP - Data exfiltration endpoint

185.65.212[.]164 - IP - Data exfiltration endpoint

66[.]203.125.21 - IP - MEGA endpoint used for data exfiltration

89[.]44.168.207 - IP - MEGA endpoint used for data exfiltration

185[.]206.24.31 - IP - MEGA endpoint used for data exfiltration

31[.]216.148.33 - IP - MEGA endpoint used for data exfiltration

104.226.39[.]18 - IP - C2 endpoint

103.253.40[.]87 - IP - C2 endpoint

*.relay.splashtop[.]com - Hostname - C2 & data exfiltration endpoint

gfs***n***.userstorage.mega[.]co.nz - Hostname - MEGA endpoint used for data exfiltration

w.api.mega[.]co.nz - Hostname - MEGA endpoint used for data exfiltration

ams-rb9a-ss.ams.efscloud[.]net - Hostname - Data exfiltration endpoint

MITRE ATT&CK Mapping

Tactic - Technqiue

RECONNAISSANCE – T1592.004 Client Configurations

RECONNAISSANCE – T1590.005 IP Addresses

RECONNAISSANCE – T1595.001 Scanning IP Blocks

RECONNAISSANCE – T1595.002 Vulnerability Scanning

DISCOVERY – T1046 Network Service Scanning

DISCOVERY – T1018 Remote System Discovery

DISCOVERY – T1083 File and Directory Discovery
INITIAL ACCESS - T1189 Drive-by Compromise

INITIAL ACCESS - T1190 Exploit Public-Facing Application

COMMAND AND CONTROL - T1001 Data Obfuscation

COMMAND AND CONTROL - T1071 Application Layer Protocol

COMMAND AND CONTROL - T1071.001 Web Protocols

COMMAND AND CONTROL - T1573.001 Symmetric Cryptography

COMMAND AND CONTROL - T1571 Non-Standard Port

DEFENSE EVASION – T1078 Valid Accounts

DEFENSE EVASION – T1550.002 Pass the Hash

LATERAL MOVEMENT - T1021.004 SSH

LATERAL MOVEMENT – T1080 Taint Shared Content

LATERAL MOVEMENT – T1570 Lateral Tool Transfer

LATERAL MOVEMENT – T1021.002 SMB/Windows Admin Shares

COLLECTION - T1185 Man in the Browser

EXFILTRATION - T1041 Exfiltration Over C2 Channel

EXFILTRATION - T1567.002 Exfiltration to Cloud Storage

EXFILTRATION - T1029 Scheduled Transfer

IMPACT – T1486 Data Encrypted for Impact

References

1.     https://www.group-ib.com/blog/shadowsyndicate-raas/

2.     https://www.techtarget.com/searchsecurity/news/366617096/ESET-RansomHub-most-active-ransomware-group-in-H2-2024

3.     https://cyberint.com/blog/research/ransomhub-the-new-kid-on-the-block-to-know/

4.     https://www.cisa.gov/sites/default/files/2024-05/AA24-131A.stix_.xml

Continue reading
About the author
Qing Hong Kwa
Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore
Your data. Our AI.
Elevate your network security with Darktrace AI