The Third-Party Ransomware Attack You Never Saw Coming

November 11, 2020 • Trevor Lyness

It’s no secret that ransomware attacks are massively on the rise. Over the past 18 months, ransomware has emerged as the premiere way for threat actors to make money. Ransomware demands are doubling every six months, and for large enterprises, those demands are often for millions of dollars.

Organizations employ a variety of strategies to ensure that ransomware never hits their business. However, the increasing prevalence of ransomware can damage your business without threat actors targeting your infrastructure.

Ransomware Attacks On Your Third Parties Put Your Business At Risk

Ransomware attacks on third parties are not new, but their increasing frequency means that you need to treat it as an inevitability. But before you start your plan to mitigate third-party ransomware risk, it’s important to understand the three different ways a ransomware attack on third parties can affect your organization:

  1. Data breach — If you trust a third party with your sensitive data, you need to treat any third-party ransomware outbreak as a potential data breach, because it likely is. While ransomware is best known for system lockdowns and ransom notes, ransomware actors frequently exfiltrate data first in order to increase their leverage over victims.

    For example, Blackbaud, a cloud services provider, had a ransomware attack that resulted in dozens of their customers issuing breach disclosures to their customers. And that’s in spite of the fact that Blackbaud paid the ransom, with the hope that attackers destroyed the data in response.

  2. Business interruption — Ransomware is notorious for causing business disruption. What would you do if one of your key vendors went offline for a day, a week, or longer? Ransomware attacks cripple a company’s infrastructure, often dramatically disrupting their ability to conduct business. If your third party provides an essential product or service to your business, a ransomware attack can cause massive harm.
  3. The ransomware moves from your third parties to you — In the worst-case scenario, your third party isn’t the only one hit by ransomware – the threat actors use the third-party’s privileged access to jump over to your own organization. We saw this August 2019 when 22 towns in Texas were hit in a coordinated ransomware attack. The common weak point was a managed service provider. Similarly, over 400 dentist offices were hit through a software provider.

Third Parties Aren’t Always Forthcoming on Attack Details

Third-parties affected by cyberattacks aren’t often swift or detailed when it comes to breach disclosure. In the case of a devastating ransomware attack, incident response and cleanup come first — something that can take days or even weeks. But if your third party has been hit by ransomware, you don’t have time to wait for your third party to issue a statement. In addition, breach disclosures often lack key details such as what type of ransomware was used. You need better, faster information, so you can react at speed.

Ransomware Extortion Sites Provide an Opportunity for Action

Ransomware extortion sites are a relatively new method used by ransomware actors to extort their victims. Several ransomware groups use extortion websites to post the names of their victims in an attempt to shame them into paying. If the victims refuse to pay, the actors release the stolen data publically. In some cases they’ll even attempt to auction the data off to the highest bidder.

Monitoring ransomware extortion sites for mentions of your third parties is a crucial part of proactive third-party risk management. It gives you a massive boost in understanding and responding to a potential third-party ransomware attack quickly. While you should never trust information on the sites without proper verification, they are a strong, and more importantly, fast signal that something is wrong.

Stay Ahead of Third-Party Ransomware Attacks With Third-Party Intelligence

Real-time third-party intelligence from Recorded Future allows you to monitor ransomware extortion sites for mentions of your vendors, suppliers, partners, and contractors, allowing you to stay in front of third-party ransomware risk.

In the event that a third party is struck by ransomware, Recorded Future’s threat intelligence enables deeper analysis and better incident response, granting you deep knowledge of trending ransomware threats and threat actors, as well as threat hunting packages to ensure the ransomware isn’t in your environment.

If you’re interested in learning more about what you can do to mitigate third-party ransomware risk, tune in to our webinar “Managing Third-Party Risk in the Age of Ransomware.”

New call-to-action