Written by: Bob Maley, Chief Security Officer.

In the Revolutionary War, British generals stuck to the book, placing blind faith in tradition. They marched troops in neat rows, clad in bright uniforms, across open fields—rigid, visible, and slow. Meanwhile, American colonists broke the rules. They fought from the woods, moved with agility, and changed the rules of engagement.

The British lost.

Ransomware today follows a similar script. Most organizations are still fighting the old way—relying on stodgy, slow-moving risk models and static assessments. But ransomware groups are moving fast, hiding in plain sight, and looking for the easiest way in. 

And too often, that way in is through your vendors.

This isn’t a war of might. It’s a war of agility. And if security leaders want to win the war against ransomware, they need to start thinking like guerrilla fighters.

The Supply Chain Is the New Front Line

Our 2025 Ransomware Report shows a sharp rise in third-party ransomware attacks: more than 6,000 organizations were hit between April 2024 and March 2025, a 24% year-over-year increase. With major ransomware syndicates like LockBit and AlphV dismantled, the battlefield hasn’t quieted—it’s fractured. Now, 96 active ransomware groups are operating, including 52 new ones. Many of these groups are disorganized and unpredictable, making them harder to track and easier to underestimate.

These attackers don’t need sophisticated tools to breach your environment. They just need one of your vendors to leave the gate unguarded. And that’s exactly where they’re focusing their fire.

Today’s ransomware actors aren’t wasting time on hardened targets. They’re looking for vulnerable vendors: often small- to mid-sized businesses (SMBs) sitting squarely in many supply chains.

In fact, 67% of known third-party breaches over the last year involved ransomware. And the sweet spot for attackers? Vendors with $4 to $6 million in annual revenue—large enough to be valuable, but small enough to lack strong defenses. These companies often don’t have dedicated CISOs, many don’t monitor external risk indicators, and almost none are prioritized in traditional third-party risk frameworks.

Legacy Risk Models Can’t Fight This War

Conventional third-party risk management (TPRM) methods are built on point-in-time assessments: surveys, security questionnaires, and high-level risk scores. These might work for compliance, but they often miss what actually puts you at risk.

After all, ransomware is a moving target. A vendor that looked secure three months ago might be vulnerable today. And attackers won’t wait for your next quarterly review.

Many vendors hit by ransomware had no major red flags under these legacy models. They looked fine on paper. But attackers don’t choose targets based on audit reports—they choose them based on opportunity.

Defenders can’t rely on static, old-school scoring models anymore. The only way to outsmart attackers is to start looking at risk the way they do.

6 Tactical Shifts Every CISO Should Make to avoid ransomware

To stay ahead of modern ransomware tactics, CISOs need to trade tradition for tempo. That means shifting from broad, static assessments to real-time, behavior-driven prioritization. Here’s how to put that mindset into practice:

  1. Think like an attacker

Start by prioritizing third-party risk the way attackers do: by visibility, exposure, and ease of exploitation. That’s what Black Kite’s Ransomware Susceptibility Index® (RSI™) is designed to do.

RSI is a predictive metric that reflects actual breach patterns and attacker tactics—not theoretical vulnerabilities. RSI analyzes a range of signals correlated with ransomware activity—open ports, insecure services, weak encryption, leaked credentials, and more—calculating the likelihood that a vendor will be targeted by ransomware.

And this isn’t a generic risk score. It’s a real-time signal of susceptibility. Vendors with an RSI above 0.8 are 96 times more likely to experience a ransomware event than those with scores below 0.2.

  1. Track the risk trajectory

Ransomware doesn’t strike out of the blue. The early warning signs are almost always there, you just need to know where to look. 

A vendor with a high RSI score is a concern, but a rising RSI score is a ticking clock. In the six months before a ransomware event, 88% of victims saw their RSI increase by at least 10%. And 61% had a steady upward trend during that time. These patterns aren’t anomalies—they’re indicators of growing risk that often surface long before a breach.

CISOs should use RSI not just as a scoring system, but as a monitoring system. When a vendor’s RSI starts trending up, don’t wait. Use that signal to open a conversation. With Black Kite’s risk insights and remediation guidance, you can show vendors exactly what’s putting them at risk—and what they can do to fix it.

  1. Focus on exploitable vulnerabilities

Ransomware attackers aren’t trying to exploit every CVE in the book. They’re looking for one door left ajar—and moving fast when they find it.

In 2024, over 40,000 CVEs were published. But only a tiny fraction were actively exploited in ransomware campaigns. Most vendor risk teams don’t have the capacity—or context—to know which ones to prioritize.

That’s where FocusTags™ come in. Instead of sorting through thousands of CVEs, FocusTags helps you surface the ones that truly require action. You can filter vendors based on specific, high-risk vulnerabilities, track how exposure changes over time, and assess real-world exploitability.

  1. Loop procurement in early

By the time a contract is signed, your leverage is limited. The best chance to manage third-party risk isn’t after onboarding—it’s during selection and negotiation.

That’s why procurement teams need a seat at the table. With tools like RSI and FocusTags, vendor risk teams can bring meaningful intelligence into procurement cycles. That includes screening vendors for susceptibility before selection, building RSI thresholds and response expectations into contracts, and aligning on risk tolerance from day one.

Contracts are accountability tools. They aren’t preventive controls. If you want your vendors to take security seriously, you need to set expectations early while you still have a say in the terms.

  1. Move faster than the enemy

When risk is rising, speed matters. But in most organizations, vendor communication is manual, fragmented, and painfully slow. To respond before attackers strike, vendor communication must be fast, secure, and collaborative.

Tools like Black Kite Bridge™ help streamline that process. The secure, two-way platform allows companies and their vendors to communicate and share information related to cyber risks. You can pinpoint specific issues, recommend fixes, and track remediation progress—all without the delays that give attackers a head start.

  1. Translate cyber risk into financial impact

Ransomware isn’t just a technical problem—it’s a business threat. But it’s hard to know where to focus when everything feels urgent. Translating cyber risk into financial impact helps security leaders prioritize what poses the greatest potential cost to the business.

Cyber Risk Quantification (CRQ) does precisely that. It’s a practical tool that helps CISOs make better, faster decisions. Using Open FAIR™-based models, you can estimate the financial consequences of a ransomware event tied to a specific vendor—whether it’s downtime, lost revenue, or fines—and prioritize accordingly.

It’s not about abstract scores. It’s about helping teams understand what’s at stake for the business, and what it’ll take to fix it.

You’re not just saying, “This vendor is risky.” You’re saying, “This vendor could cost us $5 million in downtime if we don’t act. Here’s what it’ll cost to fix it now.” That’s a conversation security teams and executives alike can understand—and act on.

The Rules of Engagement Have Changed

Being a CISO today means navigating a risk environment that’s moving faster than traditional security frameworks were ever designed to handle. Threats are constant, attacker tactics evolve daily, and the sheer sprawl of third-party ecosystems makes visibility harder than ever to maintain.

Still, too many CISOs are expected to manage that complexity with point-in-time data, rigid frameworks, and legacy assumptions about how risk behaves. That gap between how attackers think and how organizations assess risk is one of the reasons ransomware remains so effective. 

Defending against ransomware now means prioritizing agility over rigidity. It means tracking how risk is evolving—not just how it looked at last year’s review. And it means understanding which vendors are most likely to be targeted (and why), not just which ones check the right boxes.

The leaders who will stay ahead aren’t marching in formation. They’re adjusting in real time, questioning old tactics, and choosing agility over tradition. The redcoats lost by sticking to the rules—and in cybersecurity, that mindset will lose this war, too.

Read the 2025 Ransomware Report to get a clear view of changing ransomware threats and how Black Kite can help you stay ahead of the next attack.



Read our full 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems – accessible instantly, no download required.




Read Now

Related Resources: