Major UK Retailer Stops Novel Malware Attack With Darktrace AI
Company Targeted by ‘BumbleBee’, a Sophisticated Malware Loader
Darktrace, a global leader in cyber security AI, announced that a UK retailer used Darktrace’s AI to stop a cyber-attack attempting to leverage ‘BumbleBee’, a new malware loader known to be used by Russia-based ransomware group Conti among other cyber-criminal entities.
The company, a major UK retailer founded over 20 years ago, was leveraging Darktrace’s Self-Learning AI when it was targeted by a cyber-attack. The AI had established an evolving understanding of ‘normal’ for the company’s operations in order to detect the subtle indicators of an emerging cyber-threat.
In the early hours of one morning in April, Darktrace’s AI detected that an internal device was communicating unusually with multiple external endpoints. The AI began investigating the activity in real time and the company’s security team were alerted to potentially malicious activity, enabling them to take the compromised device offline before malware could spread through the organization.
The AI was able to detect the activity without any need for new threat signatures or a feed of threat intelligence, while human analysis was then used to identify the explicit strain of malware. BumbleBee is believed to have replaced Conti’s ‘BazarLoader’, which the Russia-based group infamously used to deploy ransomware. Loaders typically serve as the first stage of a cyber-attack, offering cyber-criminals the ability to deploy malicious code at scale, and serve as a bridgehead into compromised networks to push other malware, including ransomware.
“We’ve seen a dangerous surge in malware loader activity in recent months as attackers seek out new techniques that will avoid traditional methods of detection,” commented Toby Lewis, Darktrace’s Global Head of Threat Analysis. “These attack tools, particularly novel variants like BumbleBee, illustrate the need for cutting-edge technology like AI that understands the shades of grey in very complex systems. Defenders shouldn’t have to wait for the release of threat indicators and threat intelligence before they are able to detect and respond to these attacks.”