When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack

Darktrace detected the presence of ransomware and data encryption linked to World Leaks in January 2026. The incident occurred in the network of a healthcare sector organization. The attack involved both exfiltration of customer data and subsequent encryption, which contradicted reports that the group had pivoted to eliminating encryption from its operations. Investigations revealed that threat actors likely gained initial access via a Fortigate appliance in mid-October. The three-month dwell time allowed the use of living off the land techniques for lateral movement, including PsExec. Command and control communications were established using Cloudflare Tunnel. A significant volume of data was exfiltrated to the MEGA cloud storage platform. Encryption of customer data followed. Darktrace's Autonomous Response capability was active and initially blocked suspicious connectivity, buying time for the customer to remediate, although the attack continued once the mitigative actions expired.