March '22 Corvus Policyholder Update

A ransomware ecosystem in flux

We sprang forward. Translation: longer days, a lost hour of sleep we’ll never get back, and more time to do what we love — talk to you about cybersecurity. With all that extra daylight ahead of you, feel free to revisit last month’s Bird’s Eye. If you’re caught up, keep reading below for the latest tips and updates from our experts.

New Dashboard Feature: vCISO Center

Next time you log into your Policyholder Dashboard, you’ll notice some exciting updates. We’ve created a vCISO Center to bring together everything you need to make informed decisions about improving cybersecurity posture. You can view your Scan Results, take our Security Questionnaire, and visit the new Action Center that prioritizes your recommendations, all in one place.

Even if you completed the questionnaire in the previous version of vCISO, we strongly recommend you visit the vCISO Center. The new Security Essentials and Security Advanced questionnaires will help improve the quality of the recommendations in your Action Center, and existing recommendations have been revised to add more detail and helpful insights.

Log into your Dashboard today to see your new features!

LaurenWinchester-1Risk + Response Tips 

Security tips and service updates from VP of Risk + Response Lauren Winchester


A few months ago, we sent out our inaugural Policyholder Cybersecurity Benchmarking Survey — thank you for participating! — and if you didn’t get to it, no hard feelings. We’re excited to share our findings with you either way.

Some highlights from the report:

  • CISOs can help! Policyholders without one on staff felt less supported by senior leadership when executing on cybersecurity efforts. A CISO can help bridge the gap between technologists and business executives.
  • Company size plays a role. Larger organizations are more concerned about vendor breaches, while small companies are focused on staying current on new threats.
  • The work is never over. Security is constantly evolving, so organizations should never assume they’re “done” strengthening their cyber hygiene.

Feeling curious about what other organizations are experiencing? Read the full Policyholder Cybersecurity Benchmarking Report.


CISO Corner

Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz


The newest trend on the (cybersecurity) block? A ransomware ecosystem in flux. We observed a 30% reduction in ransomware claims frequency from Q4 of 2021 to Q1 2022 (through March 15th). But it’s not time to claim victory — in the last week, ransomware claims have been resurfacing.

Our hypothesis: A number of factors fueling internal turmoil among ransomware actors has temporarily shifted their priorities.

  1. Russia has long provided hackers who operate within their borders a safe haven for attacks targeting Western countries. Their January arrest of members of REvil, the notable ransomware gang, marked the first collaboration of the US and Russia on a cybercrime law enforcement operation. This sparked concerns among other ransomware actors about their immunity to the law. There are now visible consequences for their actions.
  2. The Russian invasion of Ukraine divided ransomware actors. A once tight collaboration vanished overnight and forced a fundamental shift in operational strategy.

What does this mean for Western organizations? Attacks are already resurfacing this month as cybercriminals adjust to their new workflows and resume targeting classic income streams. The major concern for retaliation lies with critical infrastructure (as mentioned by the White House) and organizations that have made public stances against Russia’s invasion by stopping sales, preventing new user signups, or suspending advertising.

For more information on the fractured ransomware ecosystem — and what it has to do with Russia and Ukraine — read our blog post.


Monthly Alerts


Threat Alerts

What to watch for this month. 

The Corvus Scan is a powerful asset that enables us to identify which policyholders are at risk for new vulnerabilities. You’ve probably already heard from us about some of the following vulnerabilities if your organization has been at risk, but we’ve gathered the monthly round-up of alerts and updates below:

Lapsus$ Compromise of an Okta Third Party Provider

On March 22, the threat actor group Lapsus$ shared screenshots online and claimed to have hacked Okta. The threat actor gained access to a third party customer support engineer's system through an open RDP port, which was not owned or operated by Okta. Based on our current understanding, the potential impact of the attack was limited. For many companies, no corrective action is required. Okta has notified those potentially impacted. For more information, read Okta’s writeup of the investigation.

VMware Carbon Black App Control Vulnerability

On March 23, VMware issued an advisory regarding two critical vulnerabilities found in the VMware Carbon Black App Control server. Exploitation of the vulnerabilities could allow a threat actor to access and modify the server remotely. For remediation steps to both, read VMware’s advisory.

Open SSL

Open SSL released a patch for a critical vulnerability, CVE-2022-0778, that could potentially lead to a distributed denial-of-service (DDoS) attack. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. Learn more about the bug and fixes.

Veeam Backup & Replication Vulnerability Advisory

The Center for Internet Security (CIS) issued an advisory regarding a series of vulnerabilities targeting the popular Veeam Backup software. Exploitation of the vulnerabilities could allow a threat actor to execute code on the system, bypass authentication, gain access to the backup servers, and ultimately destroy backups in the lead up to a ransomware attack. Learn more about the impact.