RESEARCH & INSIGHTS CENTER
Leverage unparalleled research to make smarter, faster business decisions
"SecurityScorecard's globally recognized, ubiquitous security ratings are changing how business leaders think about cybersecurity and operate in today's digital ecosystem."


Featured Research
Explore industry trends, data breaches and topical news to discover how our top data scientists and global thought leaders help organizations of every size tip the scale against cyber crime.
Attack Surface Intelligence Identifies Additional Cuba Ransomware-Linked Indicators of Compromise
Following the publication of a report regarding the Cuba ransomware group’s recent activities, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team leveraged SecurityScorecard’s unique data to enrich the indicators of compromise (IoCs) linked to this activity.
STRIKE Team researchers identified additional IoCs not explicitly linked to the Cuba threat actor group in prior public reporting.
Cyber Risk Intelligence Update: STRIKE Team Investigation Identifies Possible Flax Typhoon Links to Higher Education
The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team conducted further research into indicators of compromise (IoCs) connected to the China-backed Flax Typhoon threat actor group. This has revealed additional IP addresses the group may use.
A detailed analysis of the Money Message Ransomware
The threat actor group, Money Message ransomware, first appeared in March 2023, demanding million-dollar ransoms from its targets. Its configuration, which contains the services and processes to stop a ransomware attack, can be found at the end of the executable. The ransomware creates a mutex and deletes the Volume Shadow Copies using vssadmin.exe.
The files are encrypted using the ChaCha20 algorithm, with the key being encrypted using ECDH (Elliptic-curve Diffie-Hellman). The extension of the encrypted files isn’t changed, however the structure of the files indicates they were encrypted.
SecurityScorecard Identifies Possible Flax Typhoon Infrastructure
On August 24, Microsoft published its analysis of espionage activity it attributes to a new threat actor group tracked as Flax Typhoon assesses to act on behalf of the People’s Republic of China.
The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted SecurityScorecard’s Attack Surface Intelligence tool and a strategic partner’s network flow (NetFlow) data to develop further insight into the group’s activity and identify a population of servers the group appears to use in addition to those Microsoft identified in its report.
Cyber Risk Intelligence: SecurityScorecard Analysis of Traffic Involving Storm-0558 IoCs
On July 11th, 2023, Microsoft disclosed that a threat actor had obtained a Microsoft private encryption key that allowed attackers to generate tokens enabling access to customers’ Exchange Online and Outlook.com accounts. Microsoft attributed the attack to a threat actor group it tracks as Storm-0558, which it assesses conducts espionage on behalf of the People’s Republic of China.
A technical analysis of the Underground ransomware deployed by Storm-0978
The Underground ransomware is the successor of the Industrial Spy ransomware and was deployed by a threat actor called Storm-0978. The malware stops a target service, deletes the Volume Shadow Copies, and clears all Windows event logs.
The files are encrypted using the 3DES algorithm, with the key and IV being encrypted using an RSA public key. The ransomware deletes itself after the file encryption is complete. The extension of the encrypted files isn’t changed, but four specific bytes are added at the end of them.
LockBit Ransomware Group Claims Attack Against Prominent Taiwanese Semiconductor Firm
On June 28, a LockBit-associated threat actor known as “Bassterlord” claimed to have mounted a ransomware attack against a major semiconductor manufacturer and posted screenshots suggesting access to its systems in a series of since-deleted tweets. Despite the possibility that LockBit has again exaggerated its claims, the STRIKE Team consulted internal SecurityScorecard data, a strategic partner’s traffic data, and public reporting on the incident to offer further insight into the group’s recent claims.
A technical analysis of the Quasar-forked RAT called VoidRAT
VoidRAT is based on the open-source RAT called Quasar. The malware steals information from web browsers and applications such as FileZilla and WinSCP. It also implements a keylogger functionality that saves and exfiltrates the pressed keys. Read our whitepaper for more insights.
Android Malware on the Rise – A case study of AhMyth RAT
The malicious application is based on the open-source Android RAT called AhMyth. It has the following capabilities: taking pictures, exfiltrating phone call logs and phone contacts, stealing files and SMS messages from the phone, tracking the device’s location, recording audio, and sending SMS messages.
Investigation into Last Month’s Royal Ransomware Attack Against a City Government
On May 1, local media reported that a city government had suffered a disruption resulting from an attack claimed by the Royal ransomware group. Researchers leveraged SecurityScorecard’s exclusive access to network flow (NetFlow) data to collect a sample of traffic involving IP addresses attributed to the affected government.
Avoslocker Ransomware Group Targets U.S University
On May 1, the Avoslocker ransomware group claimed responsibility for an attack against a small U.S. university. Shortly after news of the incident surfaced, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted internal and external sources to collect and analyze intelligence about the attack. These sources yielded findings that enabled STRIKE Team researchers to develop a hypothesis regarding attackers’ initial access to university systems.
Investigation into Breached Australian Organizations
In mid-March, two Australian financial and professional services firms reported data breaches. These were followed by a series of cyber incidents affecting large Australian firms throughout 2022 and early 2023. As a result, some reporting on the incidents presented them as indications of systematic shortcomings in the country’s cyber defenses.
Using access to network flow (NetFlow) data furnished by a strategic partner, SecurityScorecard’s STRIKE Team researchers sampled the traffic that occurred over roughly one month leading up to the breach disclosures and involved a group of IP addresses that SecurityScorecard’s ratings platform attributes to the affected organizations.