Written by: Dr. Ferhat Dikbiyik, Chief Research & Intelligence Officer

“What percentage of CVEs do you cover?” 

It’s a question we hear a lot at Black Kite. It’s reasonable on the surface, but ultimately misleading.

It’s like asking a meteorologist how many weather events they track. The number might be high, but it tells you nothing about whether a severe storm is headed for your house. The same logic applies here. The total count of vulnerabilities a platform covers—or claims to cover—doesn’t actually tell you how well it assesses risk to your business.

At Black Kite, we don’t optimize for volume. We optimize for relevance, discoverability, and actionability. Because when it comes to third-party risk, more data is not necessarily better data. It’s just more noise.

CVE ‘Coverage’ Doesn’t Tell the Whole Story

More than 40,000 CVEs were published in 2024. Narrow it down to those with a CVSS score above 9.0, and you’re still looking at more than 4,400 critical issues.

Understandably, many security teams start with scale: How much of that are we tracking? However, “coverage” is a flawed metric. Here’s why:

1. It depends entirely on the scope.
What’s being covered? Every CVE ever published? Just critical ones? Only those with active exploitation? The definition of “coverage” varies so widely that it becomes almost meaningless.

2. Visibility is variable.
We identify vulnerable software versions only when they’re visible via OSINT—through headers, banners, exposed services, and so on. Not every version leaves enough of a fingerprint to be seen externally (i.e., discoverable by bad actors). As detection techniques evolve, our coverage evolves. This isn’t a static number.

3. More CVEs don’t mean better insight.
If a system is severely outdated, it’s already high-risk. Tagging it with 500 additional CVEs doesn’t make it more actionable. In fact, it often dilutes the signal. What matters is knowing the right vulnerabilities, not all of them.

The takeaway? CVE count is a distraction. What’s important is whether the vulnerabilities you can see are the ones that matter—and whether they’re likely to be exploited in the wild.

What Actually Matters in Vulnerability Intelligence

At Black Kite, our job isn’t to show you every CVE (although we do offer quite a robust CVE database with TPRM insights to the public). For our customers, our job is to surface the few dozen vulnerabilities that truly matter for your vendor ecosystem—so you can act quickly and decisively.

We get there in two ways.

1. Auto-Scanning for Patch Management Risk

Our platform continuously scans exposed infrastructure using passive OSINT techniques like banner grabbing, protocol response analysis, and header inspection. From that, we extract product and version data (when available), match it to known Common Platform Enumerations (CPEs), and map it to vulnerabilities from NIST’s National Vulnerability Database.

We apply strict filters to keep the output meaningful:

• Focus on CVEs from the past two years unless they’re especially high-impact.
  
• Exclude low-severity vulnerabilities.
  
• Prioritize CVEs likely to be discoverable via OSINT.
  
• Limit the number of CVEs associated with a given asset.
  

For example, if we find a server running Windows Server 2008 R2, we flag the 10 most relevant CVEs. We don’t tag all 500-plus known vulnerabilities for that product. The additional volume wouldn’t change the risk signal. It’s already high.

2. FocusTags™ for High-Priority Threats

Some vulnerabilities warrant immediate action. For these, we created FocusTags™—a curated set of CVEs selected for their real-world risk based on exploitability, exposure, and threat actor interest.

For example, in 2024, more than 40,000 CVEs were published.

• Around 1,000 passed our initial risk filters.
  
• Of those, 780 were designated high-priority.
  
• 295 received FocusTags based on their visibility in OSINT and likely impact.

These tags often overlap with known exploited vulnerabilities—many of which we flagged before public exploitation was confirmed. In certain cases, we used advanced techniques like TLS certificate analysis or favicon hash matching to surface assets that don’t respond to traditional scanning methods.

A note: Black Kite is not a vulnerability scanner. We do not perform authenticated internal scans. Instead, we use OSINT to identify whether systems appear susceptible to known vulnerabilities. Our goal is to measure risk exposure—not confirm exploit paths or patch status.

Rethink Third-Party Vulnerability Management with Black Kite

Yes, the threat landscape is growing more complex. But so are the tools we have to manage it.

We no longer need to chase every vulnerability across every vendor. With the right intelligence, we can take a more targeted, more effective approach. That means better prioritization, smarter remediation, and stronger overall cyber resilience.Want to see what that looks like in practice? Read our full 2025 Supply Chain Vulnerability Report.

---

Dr. Ferhat Dikbiyik is the Chief Research & Intelligence Officer at Black Kite, where he leads BRITE, the team behind third-party risk intelligence, ransomware trend analysis, and the tools helping organizations stay three steps ahead of their next threat.

The post Why Counting CVEs Misses the Real Third-Party Risk appeared first on Black Kite.

Written by: Dr. Ferhat Dikbiyik, Chief Research & Intelligence Officer

From corporate-sounding breach statements to templated negotiations and ESXi support, LockBit blurred the line between cybercrime and customer service — until they were hacked themselves.

If you’ve ever imagined ransomware gangs as chaotic bands of hoodie-wearing hackers launching attacks from the shadows, LockBit would like a word — preferably via encrypted chat, with structured pricing, timezone-aware support, and test decrypts to elp you “experience the product” before buying.

LockBit operates with a surprising level of business sophistication, offering structured pricing, customer support, and even test decrypts. This article details their corporate-like breach announcement after being hacked themselves, their tiered negotiation tactics, and their understanding of enterprise IT environments like ESXi. Ultimately, defenders need to recognize this business-like approach to ransomware in order to better anticipate and prevent future attacks.

LockBit Is All Business

After being hacked themselves on May 7, 2025, LockBit released a statement so polished it could’ve been run through a corporate PR team:

“I’m currently investigating how the breach happened and rebuilding the system… no decryptors or any stolen company data were harmed. The full panel and blog are still operational.”

They even offered to pay for intel on the perpetrator (“xoxo” from Prague) — a move eerily reminiscent of a bug bounty program, though they may have just misread a cheeky “hugs and kisses from Prague” sign-off as a hacker’s handle.

Yes, you read that correctly.

This isn’t just ransomware. It’s ransomware-as-a-business.
And if LockBit had an investor pitch deck, I wouldn’t be surprised if it included growth charts and an affiliate referral program.

But that’s the thing: LockBit wasn’t just a criminal enterprise. It was a business. A brand. A platform.
And just like any startup past its prime, it had structured pricing, technical documentation, customer onboarding…and a spectacular fall.

From Peak Power to a Platform Breach

Before Operation Cronos dismantled parts of its infrastructure earlier this year, LockBit was the reigning king of ransomware. They leaked data from over 200 victims per month, supported hundreds of affiliates, and ran a criminal operation with all the polish of a B2B tech firm.

After Cronos, that number dropped to single digits per month. Many affiliates walked away. And when LockBit got breached themselves, the mask slipped, revealing not just their systems, but their business logic.

The leaked negotiation chats read less like ransom demands and more like CRM transcripts.

How to Sell a Ransom, LockBit Style

LockBit’s chats followed a consistent rhythm: name your price, offer a taste, apply pressure, close the deal. Sound familiar?

1. Negotiation, But Make It Tiered

One small business pleads:

“We feel like the price is high. Can we agree on $3,600?”

LockBit’s response?

“Ok, $3600” (reduced from $4,000)

But after an initial discount, they’re not here for haggling:

“no”
“There will be no more talk about discounts.”

Ransom pricing was neatly aligned with perceived company size:

• Small businesses: $1,500–$4,000
• Mid-sized companies: $30K–$70K
• Large enterprises: $100K–$150K+
  

Total across all negotiations: $767,800
Average ask: $40,410

This isn’t chaos. It’s value-based pricing.

2. Customer Service Scripts, with Encryption

“You can attach a few files for test decryption by packing them into an archive…”
“Please wait for a reply, sometimes it takes several hours due to possible time zone differences.”

These lines appear over and over — clearly copy-pasted. 

We’re not dealing with improvisation here. We’re dealing with internal playbooks and canned responses. Like Zendesk, but for extortion.

3. Trust-Building with Freemium Tactics

Need proof that the decryptor works? No problem.

“We can decrypt few random files for FREE.”
“You will need to disable your AV and just run the .exe decryptor.”

That’s not just social engineering. That’s product-led growth.

4. Fear, Shame, and a Bit of Taunting

In one case, a desperate employee begs:

“Please don’t spoil my life… My company will file a case on me… My family will be suffered.”
LockBit replies coldly: “I can’t help you, it’s to end this dialog.”

Elsewhere, they mock:

“You know your pass: P@ssw0rd”

They don’t just threaten. They undermine your confidence.

5. Targeted Pressure, Personalized Pricing

LockBit tailors its tactics to your environment:

“We found a lot of contact information of your employees, clients, partners…”
“We will try to convey information about the leak to each of these contacts.”

And if you’re rich?

“I saw your financial report. Our price is not big for you.”
“The price…was formed based on the indicators of your company.”

This is market segmentation, but for criminal revenue.

6. Enterprise IT Support… from Criminals

Need to decrypt an ESXi cluster? LockBit’s got you.

“Log in to vCenter, enable SSH, upload decryptor… run ./decrypt… check decrypt.llg log…”
“Do not run multiple decryptors simultaneously… or files may be corrupted.”

We’ve seen fewer steps in vendor documentation.
These actors understand virtualization, backup systems, and endpoint behavior.

This isn’t script kiddie territory. This is ransomware with release notes.

The Breach Heard Around the Dark Web

When LockBit got breached, the illusion cracked.

They scrambled to assure “customers” that nothing critical was lost, systems were being rebuilt, and operations were ongoing. The message, minus the extortion and anonymity, would be right at home in an AWS status update.

The offer to pay for intel on “xoxo from Prague” (which again, might’ve just been a sarcastic sign-off) cemented the absurdity: even ransomware groups are vulnerable to phishing and misinterpretation.

They were so committed to acting like a business… they ended up reacting like one too.

Lessons for Defenders

So what now?

LockBit may be on the decline, but the playbook they wrote will outlive them. And the next ransomware “startup” will come with better UX, faster support, and cleaner infrastructure.

To stay ahead, we need to:

• Monitor for ransomware susceptibility, not just breaches
• Assess vendor-level risk posture, continuously
• Recognize criminal operations behaving like product teams

At Black Kite, we’ve developed tools like the Ransomware Susceptibility Index® (RSI™) and FocusTags™ to help our clients and their vendors stay ahead of this evolution — not just after an incident, but before they become one.

Because if ransomware syndicates are going to act like businesses, it’s time we start treating them like competitors — not just criminals.

---

Dr. Ferhat Dikbiyik is the Chief Research & Intelligence Officer at Black Kite, where he leads BRITE, the team behind third-party risk intelligence, ransomware trend analysis, and the tools helping organizations stay three steps ahead of their next threat.

The post Your Friendly Neighborhood Ransomware Syndicate Will See You Now appeared first on Black Kite.