Third-party ransomware risk is real, but Black Kite’s latest tool can help

Black Kite’s Ransomware Susceptibility Index calculates the probability of a third-party provider being hit by ransomware within 12 months, …

Join Transform 2021 this July 12-16. Register for the AI event of the year.

A new assessment service from cybersecurity ratings provider Black Kite will provide enterprise defenders with information about which of their third-party partners and vendors may be vulnerable to a ransomware attack.

Ransomware was the scourge of information security in 2020, as the malware brought all kinds of organizations — financial services, healthcare facilities, educational systems, municipalities, and enterprises — to a screeching halt. Ransoms are getting larger and tactics have evolved, as attackers shifted away from just encrypting data to actually stealing the data.

The Ransomware Susceptibility Index analyzes technical data from open source intelligence sources to calculate the probability that a company will suffer a ransomware attack within 12 months, Bob Maley, Black Kite’s chief security officer, told VentureBeat. The Index developed a machine learning model which considers 26 controls to calculate a score between 0 and 1. The higher value means the company has a higher likelihood of being hit by a successful ransomware attack.

The goal is to give enterprises reliable data about their ransomware risk so that they can make informed decisions about how they work with third-party partners, Maley said.

Third-party risk assessment

Many ransomware attacks now target third-party suppliers and partners instead of going straight for one company. One reason is because the partners may have weaker security defenses. They may be behind on their security updates of their employees may be more likely to fall for phishing schemes. Another reason is that attacking a supplier would net the gang more victims because as a supply chain attack, it would affect all of the supplier’s customers.

In August 2019, 22 towns in Texas were hit by a ransomware attack when the gang targeted the managed service provider used by the towns. When cloud services provider Blackbaud was hit by ransomware, dozens of their customers had to disclose the breach.

Enterprises have to look beyond their own environment when assessing their ransomware risk, Maley said. If the third-party providers are hit, the malware may be able to cascade into their networks. Or the gang will steal data from the provider that actually belongs to the client organizations. Enterprise defenders can use the Index to gauge the risks of a ransomware attack for each of their partners.

The Index isn’t just a score. It also displays a detailed report showing which of the 26 controls were missing. If a partner has a high score, the security team can call the partner and demand the issues be fixed, Maley said.

Verifying the math

Black Kite’s team of researchers needed a way to check the Index’s accuracy, so they turned to the Dark Web. Many ransomware gangs now sell the stolen data on criminal marketplaces if the victim doesn’t pay the ransom. The team looked for data dumps which were the result of ransomware attacks and checked the Index to see the victim organization’s score.

Just two weeks ago, notorious ransomware gang REvil said it had stolen schematics of unreleased Apple products from an Apple supplier. The gang demanded $50 million from Apple or it would sell the data to the highest bidder. The RSI score for that Apple supplier was 0.729, Maley said.

A prominent healthcare provider that had its data for sale after a ransomware attack (which has not been publicly discussed at this time) had an RSI score of 0.928, Maley said.

Black Kite was able to validate the Index’s accuracy by checking multiple victims across different industries, Maley said.

Attacker perspectives

For many defenders, there is a growing sense among defenders that there is no way to avoid the attack, so the focus should be on making sure recovery is possible, Maley said. While recovery planning is important, defenders shouldn’t give up trying to block the attack.

Attackers research their targets before launching their attacks. Their research includes identifying potential phishing victims, searching for user credentials, scanning for unpatched vulnerabilities and outdated software, uncovering fraudulent domains, and looking for exposed ports. With this information in hand, the attackers craft a campaign to get a foothold onto the network in order to deploy the ransomware. RSI relies on the same data sources to calculate ransomware risk.

“You can either be fatalistic or you can look at what the attackers look at,” Maley said.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Leave a Reply

Live Updates for COVID-19 CASES