The IT Nerd

Black Kite today announced its newest report, 2025 State of Financial Services: Hidden Dangers in the Vendor Ecosystem, which explores the shifting landscape of cyber threats in the financial sector, highlighting the critical importance of understanding and mitigating the hidden dangers within the vendor ecosystem. The report found that while banks and financial institutions possess strong defenses, third-party vendors often lack the same level of security, providing attackers with indirect access to the institutions they serve.

Over the past two years, successful ransomware attacks targeting the financial sector have decreased, from 191 disclosed victims in 2023 to 156 in 2024 and 55 as of mid-2025. There are several reasons why they are seeing a decrease, including difficulty in breaching systems and changes to the ransomware ecosystem. As highlighted in Black Kite’s 2025 Ransomware Report, the dismantling of major and well-equipped ransomware groups, such as LockBit and AlphV, led to fragmentation. This has opened the door to less sophisticated groups and Ransomware-as-a-Service (RaaS) tools being sold as an entry point for less experienced individuals. For instance, nearly one-third (26.6%) of finance threat actors are attributed to “Other,” which includes emerging or short-lived groups, reinforcing ransomware’s landscape as more fragmented, unpredictable, and opportunistic than ever.

Highlighting third-party risks, attackers are shifting from targeting financial institutions directly to exploiting weaker links within their ecosystems. External service providers, software vendors, and infrastructure partners often serve as alternative and more vulnerable entry points for attackers. Therefore, while the drop in direct attacks is promising, the risk of indirect access through third parties poses a serious threat.

The report’s key findings include:

• Shifting Attack Focus: Attackers increasingly exploit weaker links within the financial ecosystem, primarily through third-party vendors. This indicates that 65% of vendors are not maintaining current patch levels, which exposes financial institutions to inherited risk from known CVEs and potentially unpatched zero-day vulnerabilities in legacy technologies.
• Pervasive Vendor Vulnerabilities: A significant number of vendors exhibited critical security weaknesses, including outdated systems, poor patch management, and credential exposures. Black Kite researchers found that 31 out of 140 vendors have at least one critical vulnerability with a CVSS at or above 8, and 15 vendors show an extremely high risk with CVSS scores above 9. Additionally, Black Kite FocusTags™ found 90 vendors are flagged with high-risk threat categories, including 35 marked with KEV tags.
• Growing Supply Chain Impact: Vulnerabilities in vendors can lead to security risks for financial companies, even from non-cyber events like service outages. Case in point, in December 2024, Cl0p actively targeted companies using unpatched versions of Cleo’s MFT products. Cl0p claimed responsibility, listing 66 victims on their dark web extortion site, but researchers estimated that the actual number of impacted organizations to be in the hundreds. The exploitation resulted in operational disruptions across various sectors linked to financial supply chains, including retailers that faced delays in shipment tracking and inventory management, and manufacturers with production halts and increased downtime due to compromised integrations.
• Declining Direct Ransomware Attacks: The number of direct ransomware attacks on the financial sector has decreased from 191 companies in 2023 to 55 as of mid-2025, largely due to the implementation of strong defenses and the disruption of major threat groups.

Financial institutions can no longer afford a false sense of security based solely on their internal defenses. They must mitigate the dangers within their supply chain by adopting a proactive, intelligence-driven approach to vendor risk management. Only then can they truly strengthen their cybersecurity posture against the evolving landscape of threats to protect their assets, customers, and the stability of the broader financial ecosystem.

To read the report, visit here.

Methodology

The report’s data comes from a multi-source, intelligence-led investigation by the Black Kite Research & Intelligence Team (BRITE), with integrated streams of intelligence curated by BRITE between January 2023 and May 2025. The report focused on a targeted analysis of 140 vendors serving the financial sector. Selection was made based on a unique criterion: vendors whose client base included at least 10% financial sector customers, regardless of company size. This ensured that the analyzed vendor pool reflected high relevance and potential impact on the financial services supply chain.

Black Kite, today announced AI-powered cyber assessments, an automated solution for streamlining third-party cyber risk assessments. With its automation-led approach, Black Kite is redefining how enterprises assess risk across their vendor ecosystems to make informed decisions and bring cyber resilience to their supply chain.

Purpose-built to empower enterprises by eliminating manual effort, compressing assessment timelines from months to minutes, and delivering more accurate, intelligence-driven insights, Black Kite parses vendor documentation, leverages trust center data, and maps everything to industry frameworks. If gaps remain, teams can choose to send a focused questionnaire. Additionally, AI-powered cyber assessments integrates directly into the Black Kite platform, transforming traditionally tedious and inconsistent assessment workflows into automated, auditable, and scalable processes.

Key features and benefits include:

• Automation at every step: Initiates cyber assessments instantly using readily available intelligence and documentation, eliminates manual review tasks by leveraging AI to read, extract, and summarize documents, and accelerates risk workflows by automating document-to-control mapping and response generation.
• Accurate, risk-driven insights: Analyzes robust, audit-quality documents written by practitioners to extract trustworthy data, maps technical findings to assessment controls using AI and embedded intelligence, surfaces risks that are actionable and verifiable, not just self-reported by vendors, and quantifies vendor risk using Open FAIR™ to inform business decisions.
• Collaboration and tracking: Shares findings with internal teams and vendors through The Bridge™ workspace, establishes persistent workspaces to centralize documentation, findings, and communication, and monitors changes over time and documents actions for audit-readiness.

With this new offering, Black Kite is flipping the traditional model by starting with automation and leveraging AI from the outset to streamline and scale vendor risk assessments. Now, assessments kick off with intelligence rather than a spreadsheet.

Black Kite AI-powered cyber assessments is available as a component of a package, including Assess, Extend, and Monitor. Check it out now.

Black Kite today announced its newest report, 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems, which provides a deep analysis into evolving ransomware trends and threats. The report found that threats have escalated with more actors, less predictability, and deeper entanglement in supply chains, underscoring an urgent need for organizations to implement intelligence-driven defenses and proactive vendor monitoring.

Between April 2024 and March 2025, ransomware attacks escalated with unpredictable campaigns across a wide range of industries. As uncovered by Black Kite’s Research & Intelligence Team (BRITE), the number of publicly disclosed victims saw a 25% increase from the previous year. This follows a steep rise in the previous period with an 81% surge, amounting to a 123% increase over two years. The year also saw a noticeable uptick in attacks against small and mid-sized businesses (SMBs) due to their less robust cybersecurity defenses and lower risks of retaliation, and a rise in supply chain warfare with attackers focused on third-party vendors where just one compromised provider can disrupt dozens to hundreds of downstream organizations. These incidents, often called silent breaches, can go unnoticed until their ripple effects halt operations across industries.

Leveraging data and machine learning, Black Kite’s Ransomware Susceptibility Index^® (RSI™) proved to be a critical signal. A numerical score between 0.0 and 1.0, with a higher score representing greater susceptibility to a ransomware attack, RSI goes beyond cyber risk metrics and provides a composite score that incorporates technical indicators and intrinsic risk factors. In fact, for those with RSI above 0.8, nearly half (46%) were attacked, and most organizations showed rising RSI trends well before a breach.

The report’s key findings include:

• Publicly disclosed ransomware victims climbed to 6,046, a 24% increase year over year, and more than doubled since 2023
• 52 entirely new groups emerged in the last year, resulting in 96 active ransomware groups
• Under-resourced, understaffed, and underprepared, SMBs ($4M-$8M) were the most frequently targeted
• Ransomware was responsible for 67% of known third-party breaches
• 46% of organizations with RSI greater than 0.8 experienced ransomware attacks
• With smaller, less sophisticated operators that often lack the infrastructure to run complex extortion operations, ransom payment values declined by 35%, but the overall impact has widened

Ransomware is no longer dominated by large syndicates. Today’s organizations must contend against smaller groups that have less experience but the same intent – disrupt, extort, and repeat. While the tactics lack the sophistication of their predecessors and the targets are smaller, the volume and unpredictability of this new era of ransomware presents a new set of challenges. Organizations must also defend against AI-driven ransomware that enables attackers to bypass existing security systems and could evade detection, like analyzing EDR logs or monitoring incident response communications to adjust ransom demands.

Access the full report here.

Methodology

The findings in this report are the result of a comprehensive year-long investigation conducted by the Black Kite Research & Intelligence Team (BRITE), covering the period between April 1, 2024 and March 31, 2025. The methodology combines continuous monitoring of ransomware operations with detailed victim analysis and dark web intelligence gathering:

• BRITE monitored activity from over 150 ransomware groups, tracking their leak sites, extortion posts, and public disclosures. A group was considered “active” if it published at least one victim within the last 12 months. By March 2025, 96 groups met this threshold.
• A total of 6,046 victims were identified through leak site monitoring, cross-validated with open-source intelligence and internal telemetry. For each victim, BRITE analysts determined industry classification using NAICS codes, headquarters location by country, and estimated company size based on publicly available financials or trusted databases. BRITE also leveraged the Black Kite platform to assess each victim’s cybersecurity posture before and after the incident, helping to identify patterns in susceptibility and exposure.
• To complement leak site tracking, BRITE actively monitored ransomware blogs, Telegram channels, and dark web forums to identify group narratives, affiliate activity, and coordination patterns. This enabled the team to detect new groups quickly and contextualize victim disclosures beyond surface-level postings.

Black Kite has today released ‘The Cost of a Data Breach: A New Perspective’ which examines the impact of 2,400 cyber incidents between 2017-2022. The most notable takeaway being that of the 1,700 companies with a digital presence that could still be monitored, the overall average cost of a data breach is now over $15.01 Million. Additional key findings include:

• Overall average cost of a data breach (outliers removed) – $15.01 million
• Overall average cost of a data breach (including outliers) – $75.21 million
• Most financially devastating threat actor: Conti, with ten attacks averaging at $84.98 million per incident
• Seven hundred of the companies breached within the last five years – or one-third – no longer have a digital presence or never disclosed their company name
• Seventy-nine percent of the 1,700 analyzed breached companies are highly susceptible to a phishing attempt
• Finance and Insurance had the highest number of incidents (445), with an average cost of $35.34 million per incident

None of those are trivial numbers. And Mark Bower, VP of Product Management for Anjuna Security had this to say:

     “While many of the classical threats, including ransomware penetrate and devastate traditional on-premises servers and IT, the stakes are even higher with increasing cloud transformation driven by the need to handle more data, more analytics at a scale not previously possible. To avoid such projects becoming part of the trillion-dollar data breach debt, forward-thinking organizations are embracing completely new confidential computing models to essentially eliminate the new and vulnerable cloud attack surfaces. By embracing this, the most sensitive workloads can be executed with controls locked by cloud computing hardware itself – and highly resistant to attack from inside threats or external exploitation.”

My take home from this report is to not be a victim. Because based on these numbers, it’s cheaper to prevent being a victim than to be pwned.

UPDATE: I have two additional comments. The first is from Sanjay Raja, VP of Product at Gurucul:

     “As successful breaches continue to pile up and the cost of a breach continues to escalate, too many vendors are claiming to have the silver bullet to solve the challenges that security operations teams face, while really providing a cobbled together set of capabilities like a house of cards. We have seen the direct result of more advanced and costly attack campaigns combined with unadaptable and insufficient SIEM and XDR solutions leading to security struggling to detect, investigate and respond to attacks from just 2 to 3 months extended to 7 to 9 months in recent years. Tacking on analytics or functional pieces is not the solution. Organizations need an integrated approach that not only detects an attack, but also helps security teams prioritize and validate the full attack campaign early in the kill chain. This requires significant breadth and depth of open and interconnected security analytics across a wide set of data sets, behavioral-based detection methods working in conjunction, not siloed, and accurate and precise context and risk scoring to drive the entire security operations lifecycle till the attack is fully eradicated before an organization loses millions of dollars, brand reputation and shareholder value.

As always, the best defense is an effective offense to protect against data breaches. Organizations need newer and more advanced technologies beyond current XDR and SIEM platforms. Prioritizing solutions that automate detection, prioritize seemingly random indicators of compromise for further investigation and automate responses with a high-level of confidence are critical in deciding where to invest.”

The second is from Kevin Novak, Managing Director at Breakwater Solutions:

     “Small to Mid-Sized Businesses (SMBs) are particularly susceptible, and very financially exposed, to threats today. To compete, they are being forced to deliver technological capabilities that rival their larger competitors, but they simply don’t have the benefits of scale that those larger companies have to support that technology.  In fact, we often see SMBs without any formalization of cybersecurity within the enterprise but maintain a significant online presence.  The good news for these SMBs is that third parties and the use of public cloud services has made it possible for firms to offer technology solutions riveling the larger institutions.  The bad news is that these third parties often maintain a “shared security responsibility” model, one that is regularly misunderstood by enterprise’s purchasing their services.  This leaves the door open for accidental misconfigurations and account for one of the most significant causes of security events today.  

Often, when thinking about cybersecurity, an enterprise will consider things like data being leaked, or bank accounts being compromised.  Their decision making around these threats leads to only partially informal decisions about loss appetite.  They fail, unfortunately, to consider many of the other aspects of cyber risk including cyber events that, for instance, create operational downtime or a complete unrecoverable loss of company data.  This is particularly seen with attacks that leverage destructive malware and Ransomware (one of the top attack types seen today).  Companies that suffer such events face the possibility of a complete, extended operational meltdown, one that is very difficult to explain to clients and regulators.  It should come as no surprise then, that these types of attacks tend to cost companies the most.  For this reason, firm’s need to consider not only those controls that can be used to prevent a cyber event, but also those principles that detect, respond, and recover from an event.  This includes the development and maintenance of a security operations center focused on threat detection, an Incident Response program, and a Business Continuity and Disaster Recovery Program.  One that is particularly focused on ensuring for the resilience of the most critical business processes and data.

It is very important that companies consider the spectrum of potential loss events in the context of their own design, with knowledge of their total loss potential with and without controls.  This includes developing an understanding of the possible cyber scenarios that might befall that company, and further mapping the likelihood of each scenario from occurring.  While tail events understandably don’t happen often (though more so in the past several years) those tail events may be large enough to threaten the firm’s ability to maintain itself as a going concern, or minimally create a material, reportable loss for the firm.  For this reason, Black Kite has posted their findings with and without consideration for tail events.  It’s important to recognize that while the average without tail events (the most comment events) is $15.01MM, the average with tail events jumps to $75.21MM…clearly a number of very significant loss events in that mix…ones that firms should consider when determine overall cyber risk loss exposure.

With SMBs and even larger firms, we often see significant opportunities for focus when it comes to cybersecurity and dollar spend strategies.”