Arctic Wolf A.I CyberSecurity Scoring
Arctic Wolf
Company Information
Website:https://arcticwolf.com
Employees number:3,325
Number of followers:133,314
NAICS:541514
Industry Type:Computer and Network Security
Homepage:arcticwolf.com
Arctic Wolf Risk Score (AI oriented)
Between 650 and 699
Arctic WolfComputer and Network Security
Updated:
02/07/2026
02/07/2026
677/1000
Weak
B
Arctic Wolf Global Score (TPRM)
xxxx
Arctic WolfComputer and Network Security
Score locked

Arctic WolfWeak
Current Score
677B (WEAK)
01000
3 incidents
-4.5 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
677
JUNE 2026
680
Vulnerability
01 Jun 2026 • Arctic Wolf
Citrix, Kontron, The Gentlemen RaaS Victims and Anubis Ransomware Victims: Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Anubis Ransomware Exploits Citrix Bleed 2 in Targeted Attacks Across Critical Sectors
675
CRITICAL-5
CITGUIKONARC1783031139
Anubis Ransomware Exploits Citrix Bleed 2 in Targeted Attacks Across Critical Sectors
Threat actors linked to the Anubis ransomware-as-a-service (RaaS) operation are actively exploiting CVE-2025-5777 (Citrix Bleed 2), a critical vulnerability in Citrix NetScaler ADC and Gateway, to gain initial access to victim networks. According to a report by Arctic Wolf, attackers leverage legitimate Remote Management and Monitoring (RMM) tools including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment to blend in with normal IT activity while maintaining persistent control.
Anubis, a rebrand of the Sphinx ransomware, emerged in late 2024 and was formally announced on the RAMP underground forum in February 2025. Since then, the group has claimed 91 victims on its data leak site, with 11 reported in June 2026 alone. Targeted sectors include healthcare, business services, manufacturing, technology, and financial services, with over 50% of victims based in the U.S., followed by the U.K., Australia, France, and Canada.
The group employs aggressive tactics, including an irreversible data-wiping feature that reduces files to 0 KB regardless of ransom payment, increasing pressure on victims. Affiliates receive 80% of ransom payments, a lucrative incentive that has fueled the operation’s growth. Beyond Citrix Bleed 2, Anubis actors have also used stolen VPN credentials potentially sourced from initial access brokers, credential stuffing, or info-stealer malware to breach networks via Cisco AnyConnect VPNs, particularly through hosting providers like AS20473 (The Constant Company) and AS55286 (ServerMania).
Once inside, attackers move laterally using RDP and PsExec, deploy RMM tools for persistence, and exfiltrate data via Cloudflare Tunnels, S3 Browser, rclone, s5cmd, WinSCP, and PuTTY. They also disable security defenses, including Windows Defender and Sophos, and manipulate logs to hinder forensic analysis. In some cases, the ransomware encryptor is deleted post-execution, further complicating detection.
### The Gentlemen RaaS and Zero-Day Exploits
Separately, Kaspersky detailed The Gentlemen RaaS, which exploits known vulnerabilities and weak credentials to deploy a Go-based backdoor for remote command execution. The malware collects system data, exfiltrates it to 81.177.215[.]15:9443, and can establish a SOCKS proxy for network pivoting. The group has also weaponized a zero-day vulnerability in ktapi.sys, a Kontron driver, to bypass Windows security protections and terminate processes from Microsoft, ESET, Palo Alto Networks, and SentinelOne.
### VECT and TeamPCP’s Supply Chain-Ransomware Hybrid
A Sophos investigation revealed a partnership between VECT and TeamPCP, announced in March 2026, combining supply chain credential theft with ransomware deployment. TeamPCP, previously operating as CipherForce, rebranded after listing six victims in February 2026. However, VECT’s encryptor contains critical flaws, destroying files larger than 128 KB instead of encrypting them a defect TeamPCP claims it never used in attacks.
The alliance represents a shift toward industrialized ransomware deployment, lowering the barrier for cybercriminals by merging large-scale supply chain attacks with mature RaaS operations. Despite technical shortcomings, the model poses a growing threat to enterprises.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MAY 2026
679
APRIL 2026
678
MARCH 2026
676
FEBRUARY 2026
674
JANUARY 2026
671
DECEMBER 2025
673
Vulnerability
12 Dec 2025 • Arctic Wolf
Fortinet and Arctic Wolf: Attackers are exploiting auth bypass vulnerability on FortiGate firewalls (CVE-2025-59718)
Exploitation of CVE-2025-59718 to Bypass Authentication on Fortinet FortiGate Firewalls
669
LOW-4
FORARC1765986943
Fortinet Firewall Vulnerabilities Exploited in Active Attacks
Attackers are actively exploiting a recently disclosed vulnerability (CVE-2025-59718) to bypass authentication on Fortinet’s FortiGate firewalls, enabling them to export sensitive system configuration files. Arctic Wolf researchers reported the campaign on Tuesday, warning that stolen configurations may contain network infrastructure details, security policies, and encrypted credentials—data that could facilitate future attacks.
The vulnerability, along with a related flaw (CVE-2025-59719), stems from improper cryptographic signature verification. Both can be exploited by sending a crafted SAML response to a vulnerable device, tricking it into granting unauthorized access. CVE-2025-59718 affects FortiOS (FortiGate), FortiProxy, and FortiSwitchManager, while CVE-2025-59719 impacts FortiWeb.
Fortinet disclosed the vulnerabilities on December 9, 2025, and released patches, advising customers to upgrade or disable the FortiCloud SSO login feature if enabled. The flaw is not active by default but can be triggered if administrators register devices to FortiCare without disabling the "Allow administrative login using FortiCloud SSO" option.
Arctic Wolf observed intrusions beginning December 12, with attackers using malicious SSO logins—primarily targeting the admin account—before exfiltrating configurations via the GUI. The attacks originated from IP addresses linked to multiple hosting providers.
CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, mandating U.S. federal agencies to remediate the flaw by December 23, 2025. Organizations using affected Fortinet products are advised to check logs for suspicious activity and reset compromised credentials if breaches are detected.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
NOVEMBER 2025
673
OCTOBER 2025
671
SEPTEMBER 2025
765
AUGUST 2025
765
JUNE 2025
765
Ransomware
16 Jun 2025 • Arctic Wolf
Sophos, Barracuda Networks and Arctic Wolf: Black Hat: Organizations Face Multiple Ransomware Hits
Ransomware Resurgence: Barracuda Report Reveals Alarming Trends at Black Hat USA 2025
662
HIGH-103
SOPBARARC1768969865
Ransomware Resurgence: Barracuda Report Reveals Alarming Trends at Black Hat USA 2025
At Black Hat USA 2025, Barracuda Networks unveiled a stark report on ransomware’s evolving threat landscape, revealing that 31% of victims were attacked multiple times in the past year a trend driven by fragmented security defenses and persistent gaps in protection. The findings, based on a survey of 2,000 IT and security decision-makers across North America, Europe, and Asia-Pacific, paint a troubling picture of modern cyber threats.
Key takeaways from the report include:
- 57% of organizations suffered a successful ransomware attack in the last 12 months.
- 71% of those hit by email breaches were also targeted by ransomware, underscoring email as a primary attack vector.
- Only 32% of victims paid a ransom, and just half of those recovered all their data.
- Fragmented security tools and insufficient coverage in critical areas particularly email security left organizations vulnerable to repeat attacks.
Adam Khan, Barracuda’s VP of global security operations, highlighted that less than half of ransomware victims had implemented email security solutions, despite email being a leading entry point. The report also noted that ransomware attacks are now multi-dimensional, combining data encryption, theft, and secondary payloads for maximum disruption.
Beyond financial losses, attacks inflicted reputational damage (41%), lost business opportunities (25%), and pressure on partners and employees (22%), signaling a shift toward broader operational and psychological impact.
---
Sophos and Rubrik Partner to Strengthen Microsoft 365 Resilience
In a separate announcement, Rubrik and Sophos unveiled a strategic partnership to deliver the first MDR-optimized Microsoft 365 backup and recovery solution, integrated into Sophos Central. The offering aims to combat ransomware, account compromise, and data loss across SharePoint, Exchange, OneDrive, and Teams by unifying threat detection and recovery in a single workflow.
Raja Patel, Sophos’ chief product officer, emphasized the solution’s ability to simplify operations for partners, enabling automated recovery triggered by MDR alerts and creating new revenue streams. Rubrik CEO Bipul Sinha noted the partnership’s focus on AI-driven threats, stressing the need for rapid recovery capabilities in an era of sophisticated breaches.
---
Darktrace’s 2025 Mid-Year Retrospective: AI-Powered Threats and SaaS Exploitation
Darktrace’s retrospective of H1 2025 highlighted the growing use of AI by threat actors, including highly convincing phishing emails and automated campaigns at unprecedented scale. The report also flagged SaaS exploitation as a critical concern, citing lack of visibility and business-level controls in cloud environments.
Nathaniel Jones, Darktrace’s VP of security and AI strategy, warned that user vigilance alone is insufficient, advocating for AI-driven defense systems to counter advanced threats like Blind Eagle. While law enforcement collaborations such as the takedown of Lumma Stealer show progress, the report cautioned that new threats will continue to emerge, with AI adoption expected to expand into deepfakes, malware development, and tooling.
---
Additional Black Hat Announcements
Other notable developments included:
- Arctic Wolf, Flashpoint, and Cyera unveiling new threat intelligence and data security initiatives.
- Industry-wide discussions on AI’s dual role in both offensive and defensive cyber operations.
INCIDENT DETAILS -
TYPE
IMPACT
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Arctic Wolf ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in June 2026 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in May 2026 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in April 2026 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in March 2026 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in February 2026 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in January 2026 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in December 2025 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in November 2025 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in October 2025 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in September 2025 ??
What was Arctic Wolf's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Arctic Wolf's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Arctic Wolf ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Arctic Wolf's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?