Symantec A.I CyberSecurity Scoring
Symantec
Company Information
Website:https://www.broadcom.com/products/cybersecurity
Employees number:12,974
Number of followers:443,760
NAICS:5112
Industry Type:Software Development
Homepage:broadcom.com
Symantec Risk Score (AI oriented)
Between 650 and 699
SymantecSoftware Development
Updated:
29/03/2026
29/03/2026
674/1000
Weak
B
Symantec Global Score (TPRM)
xxxx
SymantecSoftware Development
Score locked

SymantecWeak
Current Score
674B (WEAK)
01000
4 incidents
-96 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
681
JUNE 2026
681
MAY 2026
677
APRIL 2026
677
MARCH 2026
674
FEBRUARY 2026
671
JANUARY 2026
764
Ransomware
01 Jan 2026 • Symantec
Symantec, Sophos and CrowdStrike: Black Basta Ransomware Integrates BYOVD Technique to Evade Defenses
Black Basta Ransomware Adopts New 'All-in-One' Attack Tactic with Embedded BYOVD Exploit
668
CRITICAL-96
SOPCROSYM1770623613
Black Basta Ransomware Adopts New "All-in-One" Attack Tactic with Embedded BYOVD Exploit
The Black Basta ransomware group, linked to the threat actor Cardinal, has introduced a significant evolution in its attack methodology by embedding a Bring-Your-Own-Vulnerable-Driver (BYOVD) exploit directly into its ransomware payload. This marks a departure from traditional ransomware operations, where attackers typically deploy separate tools to disable security software before encryption.
In this campaign, Black Basta leverages the NsecSoft NSecKrnl driver, which contains a critical vulnerability (CVE-2025-68947). The flaw allows the driver to execute privileged commands without proper permission checks, enabling the ransomware to issue Input/Output Control (IOCTL) requests that terminate high-level security processes. Targeted defenses include solutions from Sophos, Symantec, CrowdStrike, and Microsoft Defender (MsMpEng.exe). Once security measures are neutralized, the ransomware encrypts files and appends the “.locked” extension.
This tactic embedding defense evasion within the ransomware itself is rare, previously observed only in Ryuk (2020) and Obscura (2025). The approach offers two key advantages for attackers: stealth, by reducing the number of files dropped on the victim’s system, and speed, minimizing the window between disabling defenses and executing encryption. Researchers also noted prolonged dwell time in compromised networks, with suspicious activity detected weeks before ransomware deployment.
The resurgence of Cardinal follows a period of inactivity after internal chat logs were leaked in February 2025 by a hacker known as ExploitWhispers, who claimed retaliation for Black Basta’s attacks on Russian banks. The leak led to police raids in Ukraine and the identification of an alleged leader, Oleg Evgenievich Nefedov. Despite law enforcement pressure, the group’s technical innovation suggests continued adaptation.
BYOVD attacks remain a favored method among threat actors due to their reliance on legitimate, signed drivers, which evade detection. The integration of evasion and encryption into a single payload may set a new standard in ransomware operations, reflecting a broader trend of defense impairment as a critical component of modern ransomware attacks.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2025
764
NOVEMBER 2025
764
OCTOBER 2025
763
SEPTEMBER 2025
763
AUGUST 2025
762
JUNE 2021
736
Cyber Attack
01 Jun 2021 • Symantec
CISA, Symantec, FBI and Fortinet: Medusa Ransomware Hits 40+ Victims in 2025, Demands $100K–$15M Ransom
Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics
711
LOW-25
CISSYMFBIFOR1768715192
Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics
The Medusa ransomware operation, tracked by Symantec as Spearwing, has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% between 2023 and 2024. In the first two months of 2025 alone, the group has attributed over 40 incidents, signaling an aggressive expansion amid the disruption of other major ransomware-as-a-service (RaaS) players like LockBit and BlackCat.
Medusa employs double extortion, stealing sensitive data before encrypting networks to pressure victims into paying ransoms ranging from $100,000 to $15 million. Targets span healthcare, financial services, government, education, legal, and manufacturing sectors many within critical infrastructure. If victims refuse to pay, the group threatens to leak stolen data via its dedicated leak site.
### Attack Methods & Tools
Medusa’s intrusion chains often begin with exploiting known vulnerabilities in public-facing applications, particularly Microsoft Exchange Server, or through initial access brokers. Once inside, attackers deploy remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence, alongside the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus software using KillAV a tactic previously seen in BlackCat attacks.
Other tools in Medusa’s arsenal include:
- PDQ Deploy for lateral movement and payload delivery
- Navicat for database access
- RoboCopy and Rclone for data exfiltration
- Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance
- Ligolo and Cloudflared for command-and-control (C2) evasion
The group also employs living-off-the-land (LotL) techniques, such as PowerShell commands (Base64-encoded to avoid detection) and Mimikatz for credential theft, alongside legitimate remote access tools like ConnectWise and PsExec to move undetected.
### Evasion & Triple Extortion Risks
Medusa actors take steps to evade detection, including deleting PowerShell command histories and terminating endpoint detection and response (EDR) tools. In at least one case, a victim who paid the ransom was later contacted by a separate Medusa affiliate, who claimed the original negotiator had stolen the funds and demanded an additional payment suggesting a potential triple extortion scheme.
### CISA Advisory & Historical Context
A joint advisory from CISA, the FBI, and MS-ISAC, released on March 12, 2025, revealed that Medusa has compromised over 300 critical infrastructure victims as of December 2024. The group, unrelated to MedusaLocker or the Medusa mobile malware, first appeared in June 2021 as a closed ransomware variant before shifting to an affiliate-based model. While affiliates execute attacks, core developers retain control over ransom negotiations.
Recent campaigns have exploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Despite the RaaS landscape’s volatility with new groups like Anubis, LCRYX, and Xelera emerging Medusa has established itself as a persistent threat, ranking among the top ransomware actors in late 2024.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2021
786
Breach
01 Feb 2021 • Symantec
Symantec
Symantec Data Breach
731
HIGH-55
SYM1336271222
Security firm Symantec was attacked by a hacker back in February 2021 in which the hackers extracted some of the data.
This comprises not only passwords but a list of Symantec clients -- including government agencies.
The hacker was able to access a list of clients using Symantec's CloudSOC services, account managers and account numbers.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
JUNE 2016
784
Vulnerability
01 Jun 2016 • Symantec
Symantec
Symantec and Norton Vulnerabilities Identified by Tavis Ormandy
783
HIGH-1
SYM44121823
Tavis Ormandy identified Symantec and Norton flaws that cybercriminals may use to gain access to users' data.
There were 17 items on the list of vulnerable Symantec enterprise products. On the Symantec website, these items had been listed as a security advisory.
Malware concealed in an executable file had a chance to obtain total access to the computer running the operating system, it was discovered that Symantec decompressed files in the operating system's kernel.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Symantec ??
What was Symantec's A.I Rankiteo Cyber Score in June 2026 ??
What was Symantec's A.I Rankiteo Cyber Score in May 2026 ??
What was Symantec's A.I Rankiteo Cyber Score in April 2026 ??
What was Symantec's A.I Rankiteo Cyber Score in March 2026 ??
What was Symantec's A.I Rankiteo Cyber Score in February 2026 ??
What was Symantec's A.I Rankiteo Cyber Score in January 2026 ??
What was Symantec's A.I Rankiteo Cyber Score in December 2025 ??
What was Symantec's A.I Rankiteo Cyber Score in November 2025 ??
What was Symantec's A.I Rankiteo Cyber Score in October 2025 ??
What was Symantec's A.I Rankiteo Cyber Score in September 2025 ??
What was Symantec's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Symantec's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Symantec ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Symantec's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?