Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Symantec

Symantec Vendor Cyber Rating & Cyber Score

broadcom.com

Your backstage pass to the most epic cybersecurity solutions on the market for Endpoint, Network, Data and Cloud security. Featuring worldwide (yet local-to-you) partner experts with the chops to deliver enterprise-grade security, whether you're a solo act or a supergroup. Be first in line to experience defense that goes to 11. Hit us up: https://engage.broadcom.com/ESG-contact-us


Symantec A.I CyberSecurity Scoring

Symantec
Company Information
Website:https://www.broadcom.com/products/cybersecurity
Employees number:12,974
Number of followers:443,760
NAICS:5112
Industry Type:Software Development
Homepage:broadcom.com
Symantec Risk Score (AI oriented)
Between 650 and 699
logo
SymantecSoftware Development
Updated:
29/03/2026
674/1000
Weak
B
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
Symantec Global Score (TPRM)
xxxx
logo
SymantecSoftware Development
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

Symantec
SymantecWeak
Current Score
674B (WEAK)
01000
4 incidents
-96 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
681Before Incident
JUNE 2026
681Before Incident
MAY 2026
677Before Incident
APRIL 2026
677Before Incident
MARCH 2026
674Before Incident
FEBRUARY 2026
671Before Incident
JANUARY 2026
764Before Incident
Ransomware
01 Jan 2026Symantec
Symantec, Sophos and CrowdStrike: Black Basta Ransomware Integrates BYOVD Technique to Evade Defenses

Black Basta Ransomware Adopts New 'All-in-One' Attack Tactic with Embedded BYOVD Exploit

668After Incident
CRITICAL-96
SOPCROSYM1770623613
Black Basta Ransomware Adopts New "All-in-One" Attack Tactic with Embedded BYOVD Exploit The Black Basta ransomware group, linked to the threat actor Cardinal, has introduced a significant evolution in its attack methodology by embedding a Bring-Your-Own-Vulnerable-Driver (BYOVD) exploit directly into its ransomware payload. This marks a departure from traditional ransomware operations, where attackers typically deploy separate tools to disable security software before encryption. In this campaign, Black Basta leverages the NsecSoft NSecKrnl driver, which contains a critical vulnerability (CVE-2025-68947). The flaw allows the driver to execute privileged commands without proper permission checks, enabling the ransomware to issue Input/Output Control (IOCTL) requests that terminate high-level security processes. Targeted defenses include solutions from Sophos, Symantec, CrowdStrike, and Microsoft Defender (MsMpEng.exe). Once security measures are neutralized, the ransomware encrypts files and appends the “.locked” extension. This tactic embedding defense evasion within the ransomware itself is rare, previously observed only in Ryuk (2020) and Obscura (2025). The approach offers two key advantages for attackers: stealth, by reducing the number of files dropped on the victim’s system, and speed, minimizing the window between disabling defenses and executing encryption. Researchers also noted prolonged dwell time in compromised networks, with suspicious activity detected weeks before ransomware deployment. The resurgence of Cardinal follows a period of inactivity after internal chat logs were leaked in February 2025 by a hacker known as ExploitWhispers, who claimed retaliation for Black Basta’s attacks on Russian banks. The leak led to police raids in Ukraine and the identification of an alleged leader, Oleg Evgenievich Nefedov. Despite law enforcement pressure, the group’s technical innovation suggests continued adaptation. BYOVD attacks remain a favored method among threat actors due to their reliance on legitimate, signed drivers, which evade detection. The integration of evasion and encryption into a single payload may set a new standard in ransomware operations, reflecting a broader trend of defense impairment as a critical component of modern ransomware attacks.
INCIDENT DETAILS -
TYPE
Ransomware
IMPACT
Operational Impact: Termination of high-level security processes (Sophos, Symantec, CrowdStrike, Microsoft Defender)
DATA BREACH
Data Encryption: Files encrypted with '.locked' extension
DECEMBER 2025
764Before Incident
NOVEMBER 2025
764Before Incident
OCTOBER 2025
763Before Incident
SEPTEMBER 2025
763Before Incident
AUGUST 2025
762Before Incident
JUNE 2021
736Before Incident
Cyber Attack
01 Jun 2021Symantec
CISA, Symantec, FBI and Fortinet: Medusa Ransomware Hits 40+ Victims in 2025, Demands $100K–$15M Ransom

Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics

711After Incident
LOW-25
CISSYMFBIFOR1768715192
Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics The Medusa ransomware operation, tracked by Symantec as Spearwing, has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% between 2023 and 2024. In the first two months of 2025 alone, the group has attributed over 40 incidents, signaling an aggressive expansion amid the disruption of other major ransomware-as-a-service (RaaS) players like LockBit and BlackCat. Medusa employs double extortion, stealing sensitive data before encrypting networks to pressure victims into paying ransoms ranging from $100,000 to $15 million. Targets span healthcare, financial services, government, education, legal, and manufacturing sectors many within critical infrastructure. If victims refuse to pay, the group threatens to leak stolen data via its dedicated leak site. ### Attack Methods & Tools Medusa’s intrusion chains often begin with exploiting known vulnerabilities in public-facing applications, particularly Microsoft Exchange Server, or through initial access brokers. Once inside, attackers deploy remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence, alongside the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus software using KillAV a tactic previously seen in BlackCat attacks. Other tools in Medusa’s arsenal include: - PDQ Deploy for lateral movement and payload delivery - Navicat for database access - RoboCopy and Rclone for data exfiltration - Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance - Ligolo and Cloudflared for command-and-control (C2) evasion The group also employs living-off-the-land (LotL) techniques, such as PowerShell commands (Base64-encoded to avoid detection) and Mimikatz for credential theft, alongside legitimate remote access tools like ConnectWise and PsExec to move undetected. ### Evasion & Triple Extortion Risks Medusa actors take steps to evade detection, including deleting PowerShell command histories and terminating endpoint detection and response (EDR) tools. In at least one case, a victim who paid the ransom was later contacted by a separate Medusa affiliate, who claimed the original negotiator had stolen the funds and demanded an additional payment suggesting a potential triple extortion scheme. ### CISA Advisory & Historical Context A joint advisory from CISA, the FBI, and MS-ISAC, released on March 12, 2025, revealed that Medusa has compromised over 300 critical infrastructure victims as of December 2024. The group, unrelated to MedusaLocker or the Medusa mobile malware, first appeared in June 2021 as a closed ransomware variant before shifting to an affiliate-based model. While affiliates execute attacks, core developers retain control over ransom negotiations. Recent campaigns have exploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Despite the RaaS landscape’s volatility with new groups like Anubis, LCRYX, and Xelera emerging Medusa has established itself as a persistent threat, ranking among the top ransomware actors in late 2024.
INCIDENT DETAILS -
TYPE
Ransomware
MOTIVATION
Financial gainData extortion
IMPACT
Financial Loss: Ransoms ranging from $100,000 to $15 millionData Compromised: Sensitive data stolen before encryptionIdentity Theft Risk: High (due to data exfiltration)
DATA BREACH
Type Of Data Compromised: Sensitive data (including personally identifiable information)Sensitivity Of Data: High
FEBRUARY 2021
786Before Incident
Breach
01 Feb 2021Symantec
Symantec

Symantec Data Breach

731After Incident
HIGH-55
SYM1336271222
Security firm Symantec was attacked by a hacker back in February 2021 in which the hackers extracted some of the data. This comprises not only passwords but a list of Symantec clients -- including government agencies. The hacker was able to access a list of clients using Symantec's CloudSOC services, account managers and account numbers.
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
passwordslist of Symantec clientsgovernment agencieslist of clients using Symantec's CloudSOC servicesaccount managersaccount numbers
DATA BREACH
passwordslist of Symantec clientsgovernment agencieslist of clients using Symantec's CloudSOC servicesaccount managersaccount numbers
JUNE 2016
784Before Incident
Vulnerability
01 Jun 2016Symantec
Symantec

Symantec and Norton Vulnerabilities Identified by Tavis Ormandy

783After Incident
HIGH-1
SYM44121823
Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data. There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory. Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.
INCIDENT DETAILS -
TYPE
Vulnerability Exploit
MOTIVATION
Data Theft
IMPACT
Symantec Enterprise Products

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for Symantec ?
?
What was Symantec's A.I Rankiteo Cyber Score in June 2026 ?
?
What was Symantec's A.I Rankiteo Cyber Score in May 2026 ?
?
What was Symantec's A.I Rankiteo Cyber Score in April 2026 ?
?
What was Symantec's A.I Rankiteo Cyber Score in March 2026 ?
?
What was Symantec's A.I Rankiteo Cyber Score in February 2026 ?
?
What was Symantec's A.I Rankiteo Cyber Score in January 2026 ?
?
What was Symantec's A.I Rankiteo Cyber Score in December 2025 ?
?
What was Symantec's A.I Rankiteo Cyber Score in November 2025 ?
?
What was Symantec's A.I Rankiteo Cyber Score in October 2025 ?
?
What was Symantec's A.I Rankiteo Cyber Score in September 2025 ?
?
What was Symantec's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on Symantec's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with Symantec ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view Symantec's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?