April '23 Policyholder Newsletter

Ransomware was up 60% in March + security controls for cloud-based organizations.

America’s favorite pastime is back! No, no, not baseball. We’re talking about reading non-stop headlines about ransomware* — on the train, while walking your dog, even in your dreams — you can see the words data breach everywhere you look. It’s 2021 all over again, because ransomware is back in full swing (batter up!).

The major player? The ransomware group, CL0P, exploited a bug in GoAnywhere MFT and stole data from over 130 companies. Forta shared their investigation of the zero-day and revealed that the vulnerability was exploited for two weeks before discovery. Don’t fret — we alerted all potentially impacted policyholders!

*Hot dogs not included with bad news. Keep reading for more on the rise in ransomware and how to combat it. 

CISO Corner

Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz

📈 Ransomware is up 60% from this time last year. 

In 2022, we felt some reprieve from the onslaught of ransomware attacks that became the industry standard. But the dip in activity couldn’t last forever (could it, threat actors?). Our Threat Intel team found the following:

  • 452 new ransomware victims on leak sites in March 2023. This is the highest monthly number observed in the past two years.
  • 22% of March’s claimed ransomware victims were associated with the CL0P ransomware gang’s attack campaign targeting GoAnywhere.
  • CL0P isn’t single-handedly responsible for March’s high numbers. Without their contribution, March still saw 349 claimed ransomware victims.

Read our full analysis here.

Yes, it sounds bad. But the view from Corvus looks a bit more optimistic:

    • Ransomware events impacting our policyholders are trending downwards, even while ransomware victims listed on the dark web are increasing.
  • Why? You (!) are doing the right things. By using the Action Center and implementing suggested security controls, we’re making the work a lot harder for cybercriminals. 
  • But that doesn’t mean our job is done. As always, the threat landscape is constantly evolving. We’ll continue to send alerts for ongoing (and relevant) threats. Login to the Policyholder Dashboard to make sure you’re up-to-date to keep your organization as secure as possible. 

Risk + Response Tips 

Security tips and service updates from SVP of Risk + Response Lauren Winchester

A common misconception held by organizations using cloud-based environments is that their cloud or SaaS providers’ built-in security is enough to protect them from most threats.

Leveraging credentials: Ransomware actors are increasingly targeting and obtaining login information for cloud environments in order to steal or encrypt (or both) data for extortion purposes. 

To enhance your defensive line, we recommend that cloud-based orgs implement the following:

  • Multi-factor authentication: MFA decreases the likelihood of a threat actor taking over an account - which will protect against unauthorized access, data breaches and password-based cyberattacks.
    • Endpoint security: Deploying EDR on endpoints (laptops, desktops, etc) that access cloud-based resources provides a necessary additional layer of security.
  • Resilient backup strategy: Having all your data in a SaaS provider’s environment (i.e. 0365 or Google Workspace) is not a good idea. We recommend a cloud-to-cloud backup solution. 

Read our full guide to Security Controls For Cloud Based Organizations here.

What's New on the Policyholder Dashboard?

Confused about your score? Our results just got more detailed (and informative).

Security is all about layers. We’re here to help you peel them back, one at a time. We just unveiled a new set of recommendations to help protect your organization. So, if you noticed your score is lower than anticipated, it may have been for the following reasons:

  1. Domain Hijacking: This protects against unauthorized changes in ownership of domains and prevents a hacker from taking ownership over your domain.
  2. Remote Access - Services and Open Ports: Corvus’ predictive risk model has observed more attacks on organizations with a large external attack surface, particularly those with externally accessible remote access ports and services on owned or dedicated servers. 
  3. Certificate Best Practices: Security Certificates ensure that communication to and from your servers is encrypted. This helps to protect sensitive information and prevent threat actors from reading or modifying data in transit.

See our security recommendations on the Policyholder Dashboard.

Monthly Alerts


Threat Alerts

What to watch for this month. 


The Corvus Scan is a powerful asset that enables us to identify which policyholders may be at greater risk for vulnerabilities. In response, we send tailored, time-sensitive notifications with direct guidance for remediation. We’ve gathered a monthly round-up of our alerts and threat intel updates below:

Veritas Vulnerability

Ransomware groups are exploiting a number of vulnerabilities in Veritas Backup software. They are using the vulnerabilities to gain access to networks with the goal of stealing and encrypting data. Security updates are available and should be applied as soon as possible. Find out more.