On March 1 2024, an affiliate of the BlackCat ransomware group, also known as AlphV, alleged that the group cheated him out of his cut of the Change Healthcare ransomware payment of the publicly visible $22 million bitcoin payment on the blockchain server.

Change Healthcare later confirmed the payment, making it one of the largest healthcare ransomware payments to date. The attack resulted in lost revenue of over $1 billion, operational disruptions such as delays in pay bills and payroll, limited ability to approve prescriptions and medical procedures, and exposure of both protected health information (PHI) and personally identifiable information (PII) data. (This data was never returned, despite the group’s promise to do so with a ransomware payment). 

The third-party ransomware attack occurred as a result of a ransomware group using compromised credentials to attack the organization’s Citrix portal. Since the portal had weak control access and did not implement multi-factor authentication (MFA), it served as a successful entry point for the ransomware group. 

Ransomware payments increased to $1.5 million in 2024, with almost half (46%) of organizations identifying the attack as originating from a third party. How can organizations better secure their third-party relationships to guard against these increasingly damaging ransomware attacks?

Understanding the Risk of a Third-Party Ransomware Attack

Each new ransomware payment incentivizes groups like BlackCat bound to continue their attacks – often on the same organization. The healthcare industry is enticing for these attackers because downtime is particularly damaging to their services and patients. In addition, their systems and networks are full of sensitive data that can be stolen, exposed, or exfiltrated, and they often use outdated legacy systems that are particularly vulnerable to attacks. 

Other notable recent ransomware attacks include: 

  • Prospect Medical Holding. An attack on a Los Angeles-based healthcare management services organization shut down online systems in hospitals in Connecticut, Pennsylvania, Rhode Island and Texas, leaving them to  close urgent care centers and divert ambulance services while they reverted to a paper system for a week. 
  • Blue Yonder Attack. In November 2024, a ransomware gang targeted vulnerabilities found in the logistics and supply chain management tool used by Starbucks. The attacks caused disruptions in its inventory management and Point-of-Sales (POS) system, making it difficult for StarBucks to track, replenish and manage orders and for customers to place orders. 
  • AT&T: Data compromised in April and May through third-party platform Snowflake call included data records (CDRs) of more than 100 million AT&T customers. The hacker, who belonged to the ShinyHunters hacking group with a history of successful attacks, received $370,000 in ransomware payment. The breach impacted other companies within the AT&T supply chain and resulted in a $130 million drop in market cap. 
  • Deloitte. The ransomware group Brain Cipher claimed responsibility for stealing a terabyte of data from Deloitte. The professional services company announced that their systems were unaffected, but a client’s third-party system was impacted, underscoring the importance of third-party risk management.

Third-party ransomware attacks infiltrate organizations through a number of methods, disrupting operations and compromising sensitive data. Attackers often combine different attack vectors to increase the sophistication of the attack.

The attack vectors include: 

  • Compromised credentials. Attackers succeed at guessing or stealing passwords and emails, accessing systems or applications shared between the vendor and the organization. They can then steal or exfiltrate data and move laterally in the system, causing further damage. 
  • Software supply chain attacks. Third parties along the supply chain can install ransomware, infecting their system and disrupting operations and systems throughout the supply chain. An example is the Kasaye attack, which impacted over 2000 businesses via an automatic software update of the Managed Services Provider (MSP) that delivered the REvil ransomware. 
  • Misconfigured systems and cloud services. The rise in third-party cloud and data services combined with poor security controls, overly permissive permission, and exploitation of automated processes like deployment scripts and DevOps pipelines provides attackers a greater opportunity for ransomware to spread through interconnected systems. 
  • Phishing and social engineering attacks. Attackers send phishing and social engineering emails to third-party vendors to trick employees into disclosing emails and passwords. These types of attacks remain the primary entry point for ransomware.
  • Unpatched vulnerabilities in third-party software or hardware. Attackers exploit these vulnerabilities to infiltrate systems and even attack the digital supply chain as they did with the MOVEit attack. 

Best Practices for Securing Third-Party Relationships Against Ransomware

Ransomware attacks in the healthcare and financial industries offer tremendous opportunity for attackers due to the massive amounts of highly sensitive data they collect and their need to deliver business continuity to customers at all times. As a result, the majority of organizations (78%) that suffer a ransomware attack are attacked again, and 63% of these were asked to pay a higher ransom the second time. Implementing best practices are critical to proactively secure your third-party relationships and better defend against these attacks. 

These include:

  • Conducting comprehensive vendor risk assessments throughout the vendor lifecycle to ensure real-time evaluation of vendor risk.  
  • Implementing strong access control measures to add another layer of protection to your sensitive data, systems, and IT infrastructure. 
  • Establishing clear security policies in third-party contracts to understand where your organization’s and your third party’s responsibilities lie.
  • AI and automation that enables the analysis and early detection of anomalous or suspicious behavior. 
  • Automated risk scoring platforms that continually evaluate third-party risk. 

Conduct Comprehensive Vendor Risk Assessments

Before onboarding a new vendor, it is essential to conduct through evaluations of the potential risk the business relationship could bring to your organization. This is particularly important with third-party vendors because they often lack the resources to implement best practices for cybersecurity as the target organization has. Thorough third-party risk assessments identify any cyber gaps posed and take steps to mitigate them. To conduct accurate evaluations of your third-party vendor risk, however, you’ll need to also have a cyber posture rating that accurately assesses your third-party risk according to the level of criticality. 

Implement Strong Access Control Measures

Managing third-party permissions and access drains an organization’s resources and time. It shouldn’t be surprising, then, that over half (64%) of organizations state they lack visibility into third-party permissions and access. However, strong access control measures can deliver many benefits, including a reduction in potential data breaches, compromised credentials, and detailed monitoring and logs that provide quicker incident response. In addition, strong access control measures such as multi-factor authentication (MFA) or least-privilege access are often required by regulations such as GDPR, HIPAA and PCI DSS. Failure to comply with providing strong access control to such sensitive personal data can result in hefty penalties and reputational damage.

Establish Clear Security Policies in Contracts

Another proactive measure for defending against third-party ransomware attacks is by clearly defining the responsibility of the vendor versus the organization in terms of data security and management. For example, these contracts should define the level of required data encryption, type of access controls, and how frequently vendor risk assessments should be conducted. They should not only require adherence to specific cybersecurity frameworks and regulations such as NIST, but also those that address third-party cybersecurity risk such as DORA, SOX, PCI DSS, and ISO/IEC 27001. It should also include clear processes for vendor risk management at all stages of the vendor lifecycle: onboarding, ongoing security monitoring, and offboarding. 

AI and Automation for Rapid Response

Organizations are increasingly leveraging artificial intelligence (AI) and automation to enhance their defenses against third-party ransomware attacks. AI-powered threat detection can analyze large amounts of data such as network traffic and user behavior to identify emerging threats. Automation allows for real-time monitoring to ensure immediate alerts and response. In addition, automated asset management can quickly and regularly take inventory of all of your organization’s IT assets and identify the different users that have various access and permissions to those assets. AI can also be used in incident response to both detect and prioritize incidents, proactively responding to both known and unknown threats. Automation can help restore systems to their original state from before the attack, mitigating damage. 

Automated Risk Scoring Platforms

Automated risk assessments that include contextual and continuous risk scoring deliver optimal defense against third-party risk. Panoray’s Risk DNA, for example, is a cyber posture rating system that evolves to reflect the dynamic nature of third-party relationships and their risk, including shifts in data access, business criticality and developing vulnerabilities. It gathers this information through assessing the level of risk posed across your third parties’ external attack surfaces assets. 

This information is gathered at three different layers: 

  • IT and network. Parameters involving DNS servers, SSL-related protocols, etc. 
  • Applications. Parameters involving web applications, domain hijacking, etc.
  • Human. Parameters involving social posture and the presence of a dedicated security team, etc.

Developing a Joint Incident Response Plan with Vendors

After identifying gaps in cyber security with your risk rating system, you’ll need to document them so that you can share with your vendor and develop a plan for remediation. 

This plan should include: 

  • Collaborative response planning
  • Communication channels and coordination
  • Vendor accountability and remediation

Collaborative Response Planning

A joint incident response should include coordinated action with both vendors and external regulators that includes the sharing of best practices and threat intelligence and updating response procedures based on the outcomes of any simulation exercises. Roles and responsibilities should be delegated for both parties that include threat detection, containment, eradication and recovery. Along with a quicker response time in the event of an attack, a joint response allows for a more effective and unified response to defend against third-party risk in general. 

Communication Channels and Coordination

Vendors and organizations should be aware of the specific channels and method of communication lines available for rapid response and information sharing. The two parties should understand how incidents should be reported, the parties that should be notified, and the frequency of updates. These communication protocols should facilitate the streamlining of information so that each party has access to it and that all parties are aligned in their response. 

Vendor Accountability and Remediation

Depending on the specific circumstances and compliance requirements, vendors may be held accountable for breaches and are required to work collaboratively with the target organization to implement corrective action. Conducting periodic audits in collaboration with third parties can ensure that they are following best practices for cybersecurity, address issues proactively, and make improvements to minimize any similar issues in the future. 

Training and Awareness Programs for Vendors and Employees

With proper tools and knowledge, organizations can better defend their systems and data from ransomware attacks and mitigate damage that incurs. 

This includes: 

  • Cybersecurity training
  • Simulated attack exercises
  • Awareness campaigns 

Cybersecurity Training

Regular training of both your internal team and your vendors should include understanding the threat landscape such as the latest vulnerabilities and threats to the supply chain. Awareness of the latest phishing tactics, which are one of the most common attack vectors for ransomware, and safe browsing practices should also be emphasized. All it takes is for an employee to simply click on a malicious link or download unverified software to unleash ransomware into your network, systems and supply chain. 

Simulated Attack Exercises

Also known as tabletop exercises, running ransomware simulations with vendors helps you test and refine your response protocols. These exercises assist in clearly defining the roles throughout your organization – not only the IT department, but the CFO, CEO, CMO, etc. Although it can be challenging to assign different roles and responsibilities and simulate how they work together in the event of an attack, this level of detail is essential for optimizing response and minimizing damage at the moment of truth. 

Awareness Campaigns

Your vendor, third parties, and external stakeholders should be educated about the latest ransomware tactics and prevention measures. For example, employees should be aware of the risk IoT devices, cloud services, and shadow IT present and how they can easily be exploited through a third party to launch a ransomware attack. Promoting a culture of cybersecurity awareness is the best way to strengthen your third-party risk management and should be a priority for every organization.

Third-Party Ransomware Attack Solutions

Third party relationships aren’t disappearing any time soon – if anything, organizations will increasingly rely on them in addition to fourth, fifth and n-th party solutions in their digital supply chains. It’s critical that your organization engage in the most effective proactive measures, adapt relevant technology, and facilitate collaboration with vendors to enhance its ransomware preparedness. 

With a third-party cyber risk management platform such as Panorays, you’ll be able to map and take inventory of these third, fourth, and n-th parties continually while assessing their level of business criticality and rating them according to its context-based cyber rating. This cyber rating, or Risk DNA, reflects the changes in your third-party relationships as well as new vulnerabilities and breaches in your external attack surface that can lead to damaging ransomware attacks. 

Want to learn more about how Panorays can help you strengthen your third-party risk management to mitigate against ransomware threats? Get a demo today!

Third-Party Ransomware Attack FAQs