Every breach tells a story. In 2024, that story was about third-party vulnerabilities becoming the preferred entry point for attackers. From ransomware attacks that threatened supply chains to credential misuse that compromised entire industries, third-party breaches surged in both scale and sophistication.
Black Kite’s 2025 Third-Party Breach Report takes a deep dive into these incidents, analyzing the most significant third-party breaches of 2024 to identify the key trends shaping the future of cybersecurity. This year’s findings highlight critical shifts in the third-party risk landscape: ransomware affiliates are becoming more aggressive, unauthorized network access remains the most exploited attack vector, and regulatory frameworks are driving improvements — but not evenly across industries.
5 Takeaways from the 2025 Third-Party Breach Report
For cybersecurity leaders looking to adapt their strategies for the year ahead, here are a few notable findings from this year’s report — and what they mean for your approach to third-party risk management.
Read Black Kite’s 2025 Third-Party Breach Report, no download required.
1. A shift to continuous risk monitoring
In 2024, the Cleo File Transfer ransomware attack was a wake-up call that exposed the shortcomings of traditional third-party risk management. Attackers exploited unpatched vulnerabilities in widely used file transfer software, impacting dozens of organizations across industries. Traditional security assessments failed to catch these risks, but proactive monitoring tools could have flagged these vulnerabilities before attackers did.
For example, for too long, third-party risk management (TPRM) has relied on security questionnaires. Organizations track response rates, completion metrics, and compliance checklists — but breaches keep happening. The problem? These assessments measure vendor effort, not actual security posture, and for one point in time at that..
Meanwhile, ransomware groups aren’t wasting time with paperwork. They’re studying supply chains, buying marketing intelligence, and doing everything they can to learn more about their victims and their supply chains. Questionnaires are no defense against this kind of sophisticated, intentional approach.
Organizations need to move beyond static assessments and embrace real-time risk intelligence to detect vulnerabilities before they’re exploited. Instead of relying solely on vendors’ self-reported security measures, organizations should implement continuous monitoring tools that provide real-time visibility into third-party risks. During the Cleo File Transfer ransomware campaign, for example, Black Kite’s FocusTags™ helped organizations identify at-risk vendors and implement rapid mitigation strategies to prevent further breaches.
2. Affiliates are changing the rules of ransomware
Ransomware operations underwent a major shift in 2024, driven by changes in the underground cybercrime economy. The February attack on Change Healthcare didn’t just impact pharmacies, doctors, and hospitals — it reshaped the entire ransomware market. A payment dispute between an affiliate and a major ransomware group led to a structural change, where affiliates gained greater control and financial incentives.
This affiliate-led model has fueled a spike in ransomware activity. Now, instead of centralized ransomware groups leading the charge, affiliates are operating with more autonomy, deploying multiple types of ransomware and significantly increasing the frequency of attacks.
Healthcare bore the brunt of these attacks in 2024, accounting for over 40% of all third-party breaches. And unlike ransomware groups that historically followed an informal “twisted code of conduct” — where healthcare organizations were considered off-limits — modern affiliates have no such boundaries. They prioritize financial gain over all else, choosing targets based on likelihood to pay. The Cencora ransomware attack, for instance, allegedly resulted in a $75 million ransom payment, exposing sensitive patient data and revealing the cascading impact of third-party breaches.
This shift in ransomware tactics means organizations can no longer rely on past attack patterns to predict future threats. With financially motivated affiliates now driving attacks, businesses must invest in tools designed to proactively monitor and manage third-party risks to ensure a rapid response to disruptive events.
3. Regulations are driving cybersecurity improvements
Regulatory frameworks like DORA, HIPAA, and GDPR have been catalysts for critical risk management improvements, particularly in industries with strict compliance mandates. According to our findings, among vendors that experienced a breach and subsequently improved their cyber rating by at least 3 points, 72% serve the healthcare industry — an indication that regulatory enforcement is driving significant improvements in incident response and vendor risk management practices.
However, not all industries are keeping pace. Only 14% of vendors with improved scores following a breach support the financial services sector. Similarly, only 14% of vendors in the manufacturing sector showed progress in enhancing their cyber ratings.
The progress observed in sectors like healthcare, where regulations drove notable improvements, serves as a model for other industries to follow. But regulations aren’t enough on their own either. While regulatory frameworks establish baseline security standards, they must be backed by proactive risk management strategies. Organizations that implement continuous third-party risk monitoring, leverage real-time threat intelligence tools, and enforce vendor accountability through contractual security requirements are significantly better positioned to identify and mitigate emerging threats.
4. Defining unauthorized network access
Unauthorized network access accounted for over 50% of publicly disclosed third-party breaches in 2024. But what does that really mean? Too often, “unauthorized access” is used as a vague, catch-all explanation when organizations lack clarity on the root cause of an attack or choose not to disclose specific details. This makes it difficult to determine whether breaches were caused by stolen credentials, misconfigurations, or unpatched vulnerabilities.
The lack of transparency in incident reporting presents a serious challenge for CISOs. Without a clear picture of how attackers infiltrated a system, security teams struggle to remediate vulnerabilities and prevent future breaches. Instead of driving meaningful improvements, these incidents often fuel blame games and reactive security postures.
Given the sheer volume of breaches attributed to unauthorized access, security leaders must push for deeper analysis and clearer reporting. Creating a culture of transparency in incident reporting can help security teams better understand the root causes of unauthorized network access breaches, enabling more effective prevention strategies.
5. Building a resilient third-party risk management strategy
While we can’t predict exactly what’s next, there’s a lot we can learn from last year’s third-party breaches. By analyzing the trends, cybersecurity leaders can fine-tune their strategies to stay ahead of emerging threats. What’s clear from this year’s 2025 Third-Party Breach Report is that a proactive, collaborative approach to third-party risk management is now essential.
As we move into 2025, relying on reactive measures is no longer enough. Organizations must embrace real-time risk assessments, improve vendor communication using tools like Black Kite Bridge™, and invest in actionable remediation intelligence. Cyber threats are evolving fast, and so must the tools and strategies used to combat them. By adapting to these changes in the third-party risk landscape, companies can build a stronger, more resilient security posture and better protect themselves against the next wave of cyber threats.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The healthcare sector is under attack, and the numbers paint a stark picture of the growing ransomware crisis. Our latest infographic, drawn from the 2025 Healthcare Ransomware Report, uncovers the alarming rise in ransomware incidents targeting healthcare organizations and the reasons behind this surge.
Key insights from the infographic:
Healthcare is now the 3rd most targeted industry for ransomware.
Rising from 7th place in just one year, the sector now accounts for 8% of all ransomware attacks—up from 5% in 2023. Overall, ransomware incidents in healthcare surged by 32.16% in the last year.
High-stakes operations make healthcare a lucrative ransomware target.
Ransomware groups are drawn to healthcare’s sensitive patient data and the urgency to restore disrupted services. Ransom demands in the sector can reach as high as $20 million, with both large hospitals and small practices feeling the impact.
Ransomware groups have evolved to target healthcare.
Disruptions in the ransomware ecosystem, including the takedown of groups like LockBit and AlphV (BlackCat), and the growth in affiliates’ power, have led to the emergence of aggressive new players who don’t consider healthcare off-limits. For example, RansomHub offered affiliates a 90% payout with greater control over targets.
Patient safety is at risk from ransomware attacks.
These attacks are not just financial concerns—they jeopardize patient care and trust. Delayed surgeries, blocked medical records, and spillover effects on supply chains are just a few of the devastating consequences.
An early ransomware warning system is critical.
Black Kite’s Ransomware Susceptibility Index® (RSI™) offers healthcare organizations vital insights into ransomware risks, enabling them to prioritize and address vulnerabilities before attackers strike.
This infographic provides a detailed look at how ransomware attackers are zeroing in on the healthcare sector, from the tactics they use to the far-reaching impacts of their attacks. Whether you’re part of a major hospital system or a small clinic, the stakes are too high to ignore.
Cybercriminals are becoming increasingly bold — and no industry is safe, even those once considered untouchable. Last year, ransomware attacks in the healthcare industry skyrocketed, propelling it from the 7th most targeted industry to 3rd in just one year with attacks increasing by over 32%. The sector now accounts for 8% of ransomware attacks — up from just 5% a year ago — ranking behind only manufacturing and professional services.
What’s driving this surge? Cybercriminals are exploiting vulnerabilities unique to healthcare — making it one of the most lucrative targets. From sensitive patient data to operational disruptions that could jeopardize lives, the stakes couldn’t be higher. With 303 attacks in a single year on major hospitals to small clinics, no corner of healthcare is immune.
Our latest report, Healthcare Under Ransomware Attack, breaks down what’s behind this alarming trend — and what healthcare organizations can do to shore up their defenses.
Healthcare’s ransomware epidemic: The surge explained
Healthcare’s rise as a prime ransomware target marks a turning point in the tactics of cybercriminals. Once considered “off-limits” under an informal (yet twisted) code of conduct, healthcare now finds itself firmly in the crosshairs. Today’s ransomware groups prioritize ease of access and high ransom potential, and the unique pressures within healthcare — where patient safety and operational continuity are at stake — make the sector especially attractive.
This shift can be traced to two main catalysts: the high-profile attack on Change Healthcare and the dismantling of prominent ransomware groups like LockBit and AlphV (BlackCat).
The February 2024 ransomware attack on Change Healthcare disrupted vital services for healthcare facilities across the U.S. Although the company acted quickly to minimize the impact, the incident exposed vulnerabilities in healthcare operations. It also revealed growing tensions within the ransomware ecosystem. During the attack, a failed payment to an affiliate (an independent attacker partnering with a ransomware operator) sparked disputes, leading to an uprising by affiliates seeking to shift the power away from large ransomware groups.
The exit of AlphV (BlackCat) in December 2023 and the disruption of LockBit in February 2024 further impacted the ransomware landscape. While these events temporarily reduced attack volumes, the lull was quickly followed by an influx of new groups, many of which now lead attacks and work off an affiliate-led model. Emerging groups like RansomHub attracted many affiliates disillusioned with how ransomware groups were previously structured, offering affiliates greater control and payouts as high as 90%.
The shift in how ransomware groups operate also means affiliates are in high demand. Now, they transition freely between groups, spreading their knowledge further and making attacks by new, more aggressive players more likely. They’re also taking a carefully planned approach to which companies they target next.
Why ransomware groups are targeting healthcare
Healthcare’s ethical responsibility to ensure continuity of care for patients sets it apart from other industries and makes it uniquely vulnerable to attacks. When systems are compromised, the consequences can be a matter of life and death — delayed surgeries, inaccessible medical records, and compromised patient safety. This means that when attacked, healthcare companies are often pressured to pay ransoms to avoid disruptions to life-saving care.
Smaller healthcare providers, with less robust cybersecurity defenses, are especially vulnerable. But no organization — large or small — is immune. Attackers aren’t picking targets at random — they are following a deliberate, calculated strategy based on:
Technical vulnerability: Unpatched systems and outdated software are low-hanging fruit.
Industry: Sectors with sensitive, valuable data, like healthcare.
Likelihood to pay: Organizations with a history of paying ransoms are more likely to pay again.
Geographic area: The U.S. remains the top target for ransomware groups.
Revenue profile: Large enterprises (revenues over $100M and small to mid-sized businesses (revenues below $20 million) are commonly targeted.
While legacy ransomware groups tended to favor negotiation, modern groups are more likely to demand fast payments of a one-time ransom, with no room for negotiation. And sensitive patient data combined with high-stakes operations makes it more likely that affected companies will pay. In healthcare, ransom demands have climbed as high as $20M, driven by the urgent need to restore operations and protect patient outcomes.
The impact of these attacks goes far beyond finances. Attacks ripple through the healthcare ecosystem, exacting a human toll on providers, patients, and their families. The effects can also spill over to vendors and suppliers, putting your entire third-party ecosystem at risk. With no subindustry of healthcare safe — and ransomware groups targeting practices both large and small — maintaining the status quo is no longer an option.
Taking control: How to get ahead of the curve
With the chances of an attack becoming increasingly likely, it’s time to take a proactive approach to protect healthcare organizations and third-party ecosystems from attacks. Here’s how to start building a robust line of defense:
Continuously monitor risk factors
Healthcare organizations need to focus on monitoring risk factors that could increase the chance of an attack. Consider what your ecosystem looks like to attackers. Unpatched systems, outdated defenses, and weak links in your third-party ecosystem are common entry points.
By continuously monitoring for changes in risk factors — both within your organization and across your third-party network — it’s easier to take action before vulnerabilities are exploited.
Use an early warning system
An early warning system is one of the best ways to assess your company’s vulnerability to attack. Proactive tools like Black Kite’s Ransomware Susceptibility Index® (RSI™) provide insights into your organization’s risk of a ransomware attack. RSI™ uses machine learning and data analysis to assess vulnerability on a scale from 0 (low risk) to 1 (high risk). Scores above 0.50 indicate a heightened likelihood of attack, allowing organizations to prioritize and remediate vulnerabilities before they become problematic.
What makes RSI™ particularly powerful is that it mirrors the factors ransomware attackers themselves evaluate when choosing targets. By identifying and addressing any vulnerabilities before they’re picked up on by attackers, you can stay off their radar and keep sensitive patient data safe.
Prevention is the best medicine
Healthcare providers preach the power of preventative care — and the same goes for cybersecurity. Taking a proactive approach to ransomware defense, you can assess the risks to your organization and its third-party ecosystem, protecting against the growing risk of attacks before it’s too late.
With attacks on the healthcare industry becoming more frequent and aggressive, the cost of inaction is too great — not just in financial losses but in disruptions to patient care. Protecting your organization from these threats isn’t just a cybersecurity priority — it’s a critical investment in the safety and well-being of the patients and communities you serve.
Learn more about the rising ransomware attacks in the full 2025 Healthcare Ransomware Report — accessible instantly, no download required.
The traditional third-party risk management process often treats vendors with suspicion, mistrust, and skepticism, focusing on control rather than collaboration. This one-way “policing” mindset undermines what should be a productive and mutually beneficial partnership, creating an environment of contention and inefficiency.
Instead of working together to manage risks, organizations often overwhelm vendors with scattershot questions about vulnerability management, patching strategies, SOC 2 compliance, and more — usually without providing clear context or guidance. Vendors are left feeling frustrated and disconnected, expected to comply without fully understanding the purpose or value of their efforts. This approach feels more like an interrogation, turning what should be a partnership into more of a power struggle.
To strengthen defenses and improve the overall risk posture of their ecosystems, organizations need to move beyond this outdated approach of managing third-party risk. After all, cyberattackers don’t work in isolation — they share intelligence, coordinate strategies, and collaborate to exploit weaknesses. To combat this, organizations must adopt a similar mindset, shifting from control to collaboration. Lone wolves simply cannot prevail against well-coordinated efforts.
Embracing partnership over policing, organizations can build trust and create a culture of shared responsibility — transforming third-party risk management into a proactive, collaborative strategy that benefits everyone involved. To understand why the current approach falls short, let’s examine the consequences of this policing mindset.
The Problem With Policing Vendors
Policing vendors has long been a common approach in third-party risk management, but it usually creates more problems than it solves. Instead of building a collaborative, trust-based relationship, it positions vendors as adversaries under constant scrutiny. Vendors may feel like they are being targeted — not by cybercriminals, but by the very organizations they’re supposed to support.
This sense of distrust will lead to counterproductive outcomes. Rather than being transparent about potential risks or vulnerabilities, vendors may withhold critical information to avoid blame or punitive consequences, leaving organizations blind to potential risks.
The resulting lack of transparency can lead to delayed responses – or none at all – and missed opportunities for risk mitigation. After all, you can’t address risks you don’t know about. Distrust and resentment are partners in crime, and vendors may feel resentful that their time is being wasted by time-consuming questionnaires. As a result, vendors deprioritize or ignore these tasks and organizations waste valuable time chasing incomplete responses.
Beyond the operational inefficiencies, policing represents a major misstep in risk management. It doesn’t just sour relationships — it’s fundamentally shortsighted. Since it focuses narrowly on identifying and resolving immediate vulnerabilities, it misses the broader opportunity to build a shared, proactive, and long-term defense strategy.
Why Partnering Creates a Better Third-Party Risk Management Process
Cyberattackers don’t work in a vacuum — they operate in networks, share intel and strategies, and collaborate on attack timings. In contrast, many organizations and their vendors remain stuck in reactive, adversarial relationships — pointing fingers, struggling with miscommunication, and ultimately, leaving critical risks untreated.
A partnership-driven approach flips this dynamic, creating an environment where organizations and vendors collaborate, learn from each other, and pool their resources and expertise. Open communication also eliminates data silos and barriers, meaning it’s easier to act quickly during critical moments. When everyone in your supply chain sees the same accurate, actionable data, responses are faster and more effective.
Vendors treated as integral allies rather than external risks are more likely to engage openly, prioritize security initiatives, and align with your goals. This approach strengthens relationships, closes security gaps more efficiently, and creates a continuous improvement cycle that benefits both parties.
How To Build Strong Vendor Partnerships
Modernizing your third-party risk management process starts with rethinking how you work with vendors. These tips will help you shift from a policing mindset to a more collaborative approach, building mutually beneficial partnerships that strengthen security:
1. Build a strong foundation from the outset
Partnerships start with transparency. During vendor onboarding, clearly communicate how you assess security posture and why it matters. This sets expectations and reinforces the mutual benefits of an open, collaborative approach.
For existing vendors, revisit your goals and outline plans to strengthen collaboration. Engage your vendors in these discussions — ask for their input on improving collaboration and listen actively to their feedback.
Using tools like Black Kite’s Ransomware Susceptibility Index® can provide insights into which companies in your ecosystem are most likely to be hit by a ransomware attack, so that you can work with your vendors proactively to reduce that risk.
2. Prioritize communication and engagement
Regular communication is essential for maintaining trust and efficiency. Establish direct, security-to-security communication channels to expedite responses during critical moments. Sharing trustworthy, actionable data also reduces the burden on vendors who may be working with hundreds or even thousands of customers — who are all expecting their attention.
Tools like Black Kite Bridge™ streamline this process by centralizing communication, automating outreach, and sharing real-time intelligence. With a tool that shares asset-level vulnerability intelligence and real-time ratings updates, vendors know exactly what they need to do to address your concerns. Vendors also appreciate such solutions as they help them scale efficiently — remediations to one client’s concerns are immediately visible to other clients, saving time.
3. Develop proactive incident detection and resolution processes
Security incidents are inevitable, making it essential to develop a proactive process for identifying and addressing them. Effective incident response depends on access to precise, actionable information shared transparently with vendors.
The traditional approach of inundating vendors with unstructured data leads to delays and confusion. Without clear guidance, vendors may struggle to prioritize their actions. A better option is to use a tool like Black Kite’s FocusTags™ to offer specific, actionable steps for addressing vulnerabilities. This makes it much easier for vendors to know what exactly needs to be done and why.
4. Collaborate on post-mortem incident reviews
When incidents occur, the response shouldn’t end with mitigation. Collaborating with your vendors to conduct post-mortem reviews is much more constructive than pointing fingers. It also shifts the focus to learning and improvement rather than fault-finding. By honestly evaluating what went wrong, it’s easier to take the necessary steps to improve your, and their, response in the future.
Taking a team-oriented approach to post-incident reviews strengthens your collective defenses. These collaborative discussions show a commitment to mutual success and ongoing improvement, reinforcing your shared responsibility in maintaining a strong security posture.
The Power of Partnership
Vendor partnerships aren’t just about managing risk — they’re about building relationships that deliver mutual value. Collaboration shifts the dynamic from adversarial into one rooted in trust, transparency, and shared objectives. Partnerships accelerate threat responses, streamline third-party risk management processes, and enable both organizations and vendors to strengthen their defenses.
The real power of partnership lies in its ability to create a symbiotic cybersecurity ecosystem, where each party contributes to a stronger collective defense. Vendors become trusted allies, working alongside you to identify vulnerabilities, mitigate risks, and stay ahead of threats. In this unified ecosystem, the sum truly is greater than the parts.
To learn more practical strategies for building stronger vendor partnerships, check out our ebook: Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events.
Cl0p is back—and this time, they’ve set their sights on Cleo, a critical tool for supply chain integration. By exploiting vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, Cl0p has reignited concerns of another large-scale ransomware campaign, echoing the chaos caused by their MOVEit, GoAnywhere, and Accelion attacks. With thousands of companies relying on Cleo for seamless data transfers and partner integrations, the risk isn’t just direct—it’s systemic.
Timeline of Events
October 2024: Discovery of Cleo Vulnerabilities
Cleo released patches addressing a critical vulnerability (CVE-2024-50623) in its Managed File Transfer (MFT) products, including Harmony, VLTrader, and LexiCom. The flaw allowed unrestricted file uploads, enabling unauthenticated remote code execution. Cleo urged customers to upgrade to version 5.8.0.21 to mitigate the risk.
November 2024: Blue Yonder Incident and Termite Ransomware Group
Weeks later, Blue Yonder, a major SaaS provider for supply chain management, fell victim to a ransomware attack. The Termite ransomware group claimed responsibility, leveraging vulnerabilities and credential exposure to compromise systems.
Termite ransomware group’s dark web main page, showing the alleged victims.
While Blue Yonder’s attack and the Termite group initially seemed isolated, Cleo systems emerged as Indicators of Compromise (IoCs) in Termite’s operations. This incident highlighted how supply chain integration tools could be weaponized to cause widespread operational disruption. For more details on Blue Yonder and Termite, refer to our previous analysis here.
December 2024: Cl0p’s Announcement and Growing Exploitation
In early December, signs of active exploitation began surfacing. Sophos X-Ops confirmed that attacks on Cleo products began on December 6, 2024, targeting 50+ unique hosts in North America, primarily in the retail sector. On December 13, the Cl0p ransomware group publicly claimed responsibility for exploiting Cleo’s vulnerabilities. Cl0p, known for its mass exploitation of Managed File Transfer products like MOVEit and GoAnywhere, followed their established playbook: exploit, exfiltrate, and pressure victims with double extortion. Their announcement signaled that victims were already under negotiation, and further disclosures were imminent.
Cl0p’s announcement on December 13.
December 13: CISA Confirms Active Exploitation
Also, on December 13, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of CVE-2024-50623 and added it to the Known Exploited Vulnerabilities (KEV) Catalog. CISA mandated that all U.S. federal agencies apply patches by January 3, 2025, highlighting the urgency of remediation.
December 15: Second Cleo Vulnerability Surfaces
A second critical vulnerability (CVE-2024-55956) was identified in Cleo’s MFT solutions, further escalating the threat. This zero-day flaw, combined with CVE-2024-50623, expands the attack surface for threat actors, allowing even broader exploitation. According to new findings, these vulnerabilities remain attractive due to Cleo’s widespread usage in supply chain integration, especially in the retail and logistics industries.
December 17: CISA Adds CVE-2024-55956 to its KEV Catalog.
CISA’s alert on one of the exploited Cleo vulnerabilities.
December 18: First Victims announced
Cl0p ransomware groups announced two new victims on December 18. Based on their initial announcement on the 13th, it is very highly likely that these victims are part of the campaign of mass exploitation of Cleo vulnerabilities.
Current Status: Patches, Advisories, and Present Risks
As of mid-December, reports from Huntress and Arctic Wolf revealed that:
Fully patched Cleo systems may still be misconfigured and vulnerable under certain conditions.
Attackers are deploying ransomware payloads and stealing data using a combination of CVE-2024-50623 and CVE-2024-55956.
The interconnected risks continue to grow. Cleo systems have become central to ransomware groups’ strategies, echoing Cl0p’s MOVEit campaign in scale and complexity. The exploitation of Cleo vulnerabilities as a campaign is ongoing, and the number of victims is expected to rise over the coming weeks.
The ripple effects across the global supply chain—especially in retail, logistics, and other interconnected industries—demonstrate the systemic impact of vulnerabilities in widely adopted tools like Cleo.
Who is Cl0p? Understanding the Group and Their Methods
Cl0p is a ransomware group notorious for large-scale exploitation campaigns targeting Managed File Transfer (MFT) software. Their operations are characterized by a “hit-and-run” mentality, focusing on mass exploitation rather than continuous attacks. Unlike opportunistic ransomware groups, Cl0p carefully identifies vulnerabilities in widely adopted tools, weaponizes them, and exploits them at scale. Their operations combine technical precision with a clear strategy: maximize impact and leverage high-value data for extortion.
Cl0p’s History and Previous Attacks
Cl0p has been linked to several high-profile attacks:
Accellion FTA Attack (2020): In December 2020, Cl0p exploited zero-day vulnerabilities in Accellion’s File Transfer Appliance (FTA), compromising up to 100 companies and stealing sensitive data. Unlike typical ransomware attacks, they did not deploy file-encrypting malware but instead focused on data theft and extortion.
GoAnywhere MFT Attack (2023): In early 2023, Cl0p exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT, claiming to have breached over 130 organizations. They utilized similar tactics of data exfiltration followed by extortion.
MOVEit Exploitation (2023): In June 2023, Cl0p targeted a vulnerability in Progress Software’s MOVEit Transfer, affecting numerous organizations. They exfiltrated data and used double extortion tactics, threatening to publish the stolen information.
These incidents highlight Cl0p’s signature approach: they don’t operate year-round. Instead, they focus on mass exploitation campaigns—finding and exploiting critical vulnerabilities in widely used enterprise tools, launching large-scale attacks, and rapidly monetizing stolen data.
Cl0p’s Modus Operandi (MO): Targeting MFT Solutio
Cl0p’s tactics have a distinct pattern:
Identification of Zero-Day Vulnerabilities: Cl0p specifically targets MFT solutions, which are vital for secure data transfers between organizations and trading partners. These tools often handle sensitive data, making them prime targets for extortion.
Mass Exploitation: Once a vulnerability is identified, Cl0p moves quickly to exploit it. They leverage automated tools to scan for unpatched or exposed systems, often breaching hundreds of organizations simultaneously.
Data Exfiltration and Double Extortion: After gaining access, Cl0p exfiltrates large amounts of sensitive data before deploying ransomware. They then engage in double extortion, threatening to leak stolen data publicly if victims refuse to pay. Their dark web blog serves as the platform to pressure victims by announcing data leaks.
Timing and Scale: Cl0p strategically targets tools used by organizations with significant supply chain interdependencies, amplifying the impact of their campaigns. The MOVEit and GoAnywhere campaigns affected thousands of companies—directly and indirectly—demonstrating how they exploit systemic vulnerabilities in critical software.
Cl0p and Cleo: The Next MOVEit?
The exploitation of Cleo’s vulnerabilities mirrors Cl0p’s previous large-scale campaigns on Managed File Transfer (MFT) solutions like MOVEit and GoAnywhere. These campaigns targeted zero-day vulnerabilities, allowing Cl0p to breach organizations en masse and exfiltrate sensitive data for double extortion. In December 2024, Cl0p publicly claimed responsibility for exploiting Cleo’s MFT products, specifically CVE-2024-50623 and CVE-2024-55956, stating they already had “a lot of companies” under their fingertips. This public declaration strongly suggests that exploitation began weeks earlier, consistent with Cl0p’s strategy of quietly breaching systems, stealing data, and only later announcing their activities to intensify pressure on victims yet to pay.
Screenshot from BleepingComputer article that covers Cl0p’s statements.
Given Cleo’s widespread adoption—particularly in retail and logistics, where it facilitates end-to-end supply chain integration—the scale of potential disruption is significant. Cl0p’s focus on tools that connect organizations across ecosystems amplifies the risk far beyond a single company, creating a ripple effect throughout supply chains.
This pattern is not new. During the MOVEit exploitation campaign in 2023, Black Kite Research and Intelligence Team (BRITE) observed 600 MOVEit assets exposed to the internet at the time of discovery. Given Cl0p’s spray-and-exploit approach, we estimate most of those assets were attacked. In total, Cl0p’s MOVEit campaign impacted hundreds of direct victims and indirectly affected more than 2,700 organizations, including downstream third- and fourth-party dependencies.
Within three months, Cl0p announced 270 victims tied to MOVEit on their leak site. Other victims were listed afterward, though it remains unclear if these were MOVEit-related. Notably, Cl0p claimed to have deleted stolen data for some organizations, such as non-profits and public institutions, likely for reputational reasons.
While Cl0p currently dominates the headlines, it is worth noting that the Termite ransomware group has also been associated with Cleo-related Indicators of Compromise (IoCs). Though there is no confirmed link between Cl0p and Termite, this overlap highlights how critical tools like Cleo become prime targets for multiple ransomware operators seeking high-impact opportunities.
Cl0p’s resurgence with Cleo is yet another example of their ability to disrupt systems at scale. Their hit-and-run mentality—periodically focusing on MFT vulnerabilities for maximum effect—demonstrates their precision and understanding of how interconnected systems amplify ransomware risks. Organizations must respond decisively to such threats, as delayed action could leave critical data and operations exposed in the interconnected web of modern supply chains.
The Technical Breakdown: How Cleo Vulnerabilities Are Being Exploited
CVE-2024-50623: The Initial Vulnerability
The first critical vulnerability identified in Cleo’s MFT solutions—CVE-2024-50623—was disclosed in October 2024. This flaw allows for unauthenticated file uploads, enabling attackers to place malicious files directly onto targeted servers. Under certain conditions, this results in remote code execution (RCE), giving threat actors the ability to execute arbitrary commands.
The vulnerability impacts Cleo Harmony, VLTrader, and LexiCom products widely used for secure file transfers, partner onboarding, and supply chain automation. Organizations with internet-exposed Cleo systems running unpatched versions were immediately placed at risk.
CVE-2024-55956: A Second Critical Flaw
On December 15, 2024, a second vulnerability—CVE-2024-55956—surfaced, further exacerbating the risk. This zero-day flaw allows for unrestricted file downloads, enabling attackers to exfiltrate sensitive data without authentication. In combination with CVE-2024-50623, this creates a powerful attack vector where threat actors can both infiltrate and exfiltrate data, a hallmark of ransomware operations.
Researchers from Huntress have raised concerns that even fully patched systems remain vulnerable under specific misconfigurations or incomplete remediations. This complicates mitigation efforts, as organizations may incorrectly assume they are protected after applying initial patches.
Indicators of Compromise (IoCs)
Security researchers have published several Indicators of Compromise related to Cleo exploitation, including:
File Names and Patterns: Malicious file uploads often mimic legitimate Cleo processes to evade detection. For example:
Randomly named .xml or .log files placed in unexpected directories.
Unusual Network Activity:
Outbound connections to suspicious IP addresses.
Unexpected data transfers involving Cleo MFT servers.
C2 (Command and Control) Servers:
Reported IP addresses identified as part of Cl0p campaigns.
Example: 176[.]123[.]5[.]126 and 5[.]149[.]249[.]226 (placeholder examples).
Organizations are urged to monitor for these IoCs and conduct thorough forensic reviews of Cleo servers to identify unauthorized file uploads or unusual system behavior.
The Compounding Risk of Misconfiguration
While Cleo released patches in October, real-world implementation has revealed challenges. Systems with incomplete configurations or unpatched instances remain vulnerable. Additionally, Huntress researchers have reported that fully updated Cleo environments could still be exploited under specific conditions, raising the risk for organizations that rely on Cleo for critical file transfer operations.
The combined exploitation of CVE-2024-50623 and CVE-2024-55956 highlights the evolving sophistication of ransomware groups like Cl0p. These vulnerabilities create a near-perfect opportunity for attackers to infiltrate systems, steal sensitive data, and leverage supply chain disruptions for maximum impact. Organizations must act decisively to identify exposure, patch systems, and monitor for signs of compromise before attackers escalate their campaigns further.
The Supply Chain Impact: Why This Matters
Cleo’s Role in Supply Chain Integration
Cleo’s Integration Cloud (CIC) and Managed File Transfer (MFT) solutions serve as critical infrastructure for businesses that rely on seamless data exchanges with trading partners, customers, and internal systems. These tools power API and EDI-based transactions, automate file transfers, and integrate with back-office applications, enabling operational efficiency across interconnected supply chains.
An illustration of CIC provided on Cleo’s main website.
Direct vs. Indirect Risks
The exploitation of Cleo vulnerabilities poses direct and indirect risks to organizations, mirroring the cascading effects seen during the MOVEit and GoAnywhere campaigns:
Direct Impact:
Organizations using vulnerable Cleo solutions face immediate risk of data exfiltration and ransomware deployment. Cl0p’s exploitation tactics allow for unauthorized file uploads, system access, and data theft, disrupting operations and potentially leading to downtime or financial losses.
Indirect Impact:
Even companies that do not directly use Cleo can be impacted through their vendors, partners, or customers. If a critical supplier or trading partner is compromised, it can trigger delays, operational bottlenecks, and interruptions to business continuity.
These downstream impacts are especially critical in industries like retail and logistics, where delays during peak seasons—such as the holidays—can translate to significant revenue loss.
Sectors at Greatest Risk
Industries like retail, logistics, manufacturing, and healthcare depend heavily on Cleo to manage their supply chain workflows. From onboarding new partners to securely transferring sensitive business data, Cleo has become a central link in countless global operations. This widespread reliance creates an attractive target for ransomware groups like Cl0p, who aim to amplify the disruption by compromising a tool that connects thousands of organizations.
Retail: Retailers depend on Cleo to integrate with suppliers, track shipments, and ensure inventory visibility. A disruption during peak seasons could delay deliveries, impact sales, and damage customer relationships.
Logistics: Logistics providers rely on Cleo for partner onboarding, shipping automation, and real-time data exchanges. An attack could cause cascading delays across the supply chain.
Manufacturing: Manufacturers using Cleo to exchange data with suppliers and partners could face production halts, delayed fulfillment, and financial loss.
Healthcare: Sensitive healthcare data, often transferred through automated workflows, is particularly valuable to ransomware operators, posing both operational and regulatory risks.
Why This Matters for Supply Chain Resilience
The Cleo exploitation highlights a broader issue: the fragility of interconnected systems. Organizations often underestimate their reliance on third-party tools and partners until an incident like this occurs. A single vulnerability in a widely adopted platform can disrupt hundreds—or thousands—of interconnected businesses, amplifying risks across entire ecosystems.
For organizations prioritizing supply chain resilience, visibility is critical:
Do you know which of your vendors, customers, or partners rely on Cleo?
Can you assess their exposure and verify that mitigation steps are being taken?
Are you prepared for disruptions caused by indirect dependencies?
Understanding these relationships and acting proactively can make the difference between business continuity and cascading failure.
How Black Kite Responded: Two FocusTags for Actionable Intelligence
Proactive Risk Identification and Customer Alerts
As the Cleo vulnerabilities began to surface and exploitation intensified, Black Kite acted swiftly to provide actionable intelligence for our customers. Understanding the layered risks posed by Cleo’s interconnected products, we released two distinct FocusTags:
Cleo File Transfer FocusTag
Cleo Integration – Ransomware Risk FocusTag
Both tags addressed critical aspects of the threat, helping customers identify exposure, prioritize outreach, and take decisive mitigation steps.
Cleo File Transfer FocusTag™: Identifying Vulnerable Systems
The Cleo File Transfer FocusTag™ focuses on the vulnerable software versions and internet-facing systems running Cleo Harmony®, VLTrader®, and LexiCom. This vulnerability-focused tag provides highly actionable intelligence for customers to address immediate technical risks.
Key details include:
Identification of vulnerable Cleo products prior to version 5.8.0.21.
IP addresses and hosted instances of Cleo MFT solutions exposed in the cloud.
Indicators of Compromise (IoCs).
Recommended mitigation actions, including patching, disabling autorun functionality, and isolating systems behind firewalls.
Customers used this tag to quickly identify their own exposure and initiate remediation efforts, including monitoring for signs of exploitation and implementing defensive controls.
Black Kite’s Cleo File Transfer FocusTag™ details.
Black Kite published this first tag on November 27, 2024 for CVE-2024-50623 and updated it since then frequently so that it includes the new developments and vulnerabilities (CVE-2024-55956).
The Cleo Integration – Ransomware Risk FocusTag™ addresses a broader risk beyond the specific vulnerabilities. This tag highlights organizations connected to Cleo’s Integration Cloud (CIC) as application or trading partners, who may face direct or indirect risks of a ransomware attack.
The Cl0p ransomware group is infamous for exploiting Managed File Transfer (MFT) vulnerabilities, and their campaigns often extend beyond initial targets. Cleo’s MFT solutions are deeply integrated with Cleo Integration Cloud (CIC), a platform central to critical business ecosystem integrations.
Trading partners connected to CIC could become part of the attack path, exposing sensitive assets and data to potential compromise.
The Cleo Integration tag is based on a combination of:
Public integration data (95%) published by Cleo.
Certificate analysis for Cleo-related products.
Through discussions with trading partners and confirmation from our customers, we’ve learned that Cleo integrations often touch sensitive data and critical systems, amplifying the potential for cascading impacts across the supply chain.
This tag enables customers to:
Identify at-risk vendors and trading partners connected to Cleo.
Understand and prioritize indirect risks that could impact their operations.
Share actionable intelligence with vendors, raising awareness and driving remediation efforts.
Black Kite published this tag on December 16, 2024, right after Cl0p announced it on their dark web blog. Black Kite has become the first source of intel for many Black Kite customers.
Black Kite’s CLEO Integration – Ransomware Risk FocusTag™ details.
Customers who were identified as trading partners on Cleo’s public website began internal investigations to assess their exposure. IoCs provided with the tag—such as suspicious file patterns and malicious IPs—were shared with SOC teams to ensure no compromise had occurred. Organizations verified where Cleo touched their sensitive assets or critical systems and prepared incident response protocols as a precaution.
Operationalizing Both FocusTags™: From Intelligence to Action
Black Kite customers leveraged these FocusTags to address both immediate risks and cascading vulnerabilities:
For Internal Mitigation (Cleo File Transfer FocusTag):
Patch all Cleo Harmony, VLTrader, and LexiCom systems to version 5.8.0.21 or later.
Place internet-facing systems behind a firewall and disable autorun functionality.
Monitor for Indicators of Compromise (IoCs) such as malicious file uploads and suspicious IPs.
For Vendor and Supply Chain Management (Cleo Integration FocusTag):
Use the Cleo Integration – Ransomware Risk FocusTag to identify trading partners at risk of cascading ransomware impacts.
Prioritize critical vendors and launch targeted outreach campaigns to raise awareness and request feedback.
Collaborate with vendors to confirm mitigations and reduce shared risk.
Leveraging Black Kite BridgeTM:
Customers operationalized these tags further through Black Kite Bridge, streamlining vendor outreach and tracking remediation progress in real time. Instead of sending manual questionnaires, they shared actionable intelligence directly with vendors, allowing for faster, more efficient responses.
A Coordinated Effort to Protect Customers
The swift release of these two FocusTags reflects Black Kite’s commitment to delivering timely and actionable intelligence. The BRITE (Black Kite Research and Intelligence) team worked around the clock to analyze risks, while our Customer Success, Support, and Product teams ensured customers could operationalize this intelligence effectively.
By addressing both technical vulnerabilities and supply chain risks, we enabled organizations to act decisively—protecting their systems, understanding their vendor relationships, and mitigating the cascading impacts of ransomware.
What Organizations Need to Do Now
As the exploitation of Cleo vulnerabilities continues to unfold, organizations must move quickly to mitigate risks, both internally and across their supply chains. Given Cl0p’s history of targeting widely adopted Managed File Transfer (MFT) tools, delaying action could leave organizations exposed to ransomware deployment, data theft, and operational disruptions.
Immediate Steps for Direct Users of Cleo
If your organization uses Cleo Harmony®, VLTrader®, or LexiCom, immediate technical measures must be prioritized:
Patch Vulnerable Systems: Ensure all Cleo MFT products are updated to version 5.8.0.21 or later. This step is critical to addressing CVE-2024-50623 and CVE-2024-55956.
Disable Autorun Functionality:
Access the “Configure” menu, select “Options,” and clear the “Autorun Directory” field to prevent automatic execution of malicious files.
Place Systems Behind a Firewall: Restrict internet-facing access to Cleo servers to minimize exposure. Where possible, disable external access entirely.
Monitor for Indicators of Compromise (IoCs):
Watch for unusual network activity or file uploads, such as main.xml or encoded malicious payloads.
Block malicious IPs associated with Cl0p campaigns:
Strengthen Security Controls: Enforce strong, unique passwords for Cleo systems, and enable multi-factor authentication (MFA) to reduce unauthorized access risks.
Understand and Mitigate Supply Chain Risks
Even if your organization does not use Cleo directly, there is significant indirect risk if your vendors, trading partners, or customers rely on Cleo systems. Cl0p’s attack campaigns historically spread across entire ecosystems, impacting organizations that were never direct targets.
Steps to address cascading risks include:
Identify Affected Vendors:
Use the Cleo Integration – Ransomware Risk FocusTag to identify trading and application partners exposed to potential ransomware threats.
Review vendor dependencies to understand which of your critical suppliers or partners use Cleo’s Integration Cloud (CIC).
Engage Vendors with Actionable Intelligence:
Share specific IoCs and mitigation steps to raise awareness among vendors. Black Kite customers have used Black Kite BridgeTM to streamline outreach, allowing vendors to address vulnerabilities faster and confirm remediations.
Prioritize Based on Criticality:
Focus efforts on vendors and partners critical to your operations. Map out supply chain dependencies to identify where disruptions would cause the most significant impact.
Test Contingency and Response Plans:
Develop or review backup and disaster recovery plans to ensure operational continuity if a critical vendor is compromised.
Identify alternative suppliers or redundancies in workflows to minimize downtime.
Strengthen Long-Term Cyber Resilience
While the immediate priority is mitigating Cleo-related risks, this incident underscores the broader need for improved third-party risk management and supply chain resilience. In an interconnected world, risks like Cleo’s vulnerabilities don’t stay isolated—they ripple across entire ecosystems. Whether you’re a direct user of Cleo systems or part of a broader supply chain, visibility and decisive action are critical to minimizing ransomware risk.
Organizations should take steps to ensure they are prepared for future events:
Enhance Visibility:
Continuously monitor vendor risk exposure, particularly for critical tools like MFT solutions that manage sensitive data and workflows.
Proactively identify vulnerable systems across your supply chain using external intelligence and risk assessments.
Adopt Threat Intelligence Tools:
Leverage risk intelligence platforms to identify vulnerabilities, IoCs, and dark web chatter before incidents escalate. Tools like Black Kite’s FocusTags allow organizations to stay ahead of emerging threats and act decisively.
Collaborate with Vendors:
Build stronger relationships with third-party vendors to ensure faster response times during incidents. Avoid overwhelming vendors with repetitive questionnaires and focus on sharing actionable intelligence they can act on.
Conduct Regular Security Audits:
Evaluate the security posture of both internal systems and vendor environments, ensuring that vulnerabilities are identified and addressed before they can be exploited.
By addressing vulnerabilities internally, working proactively with vendors, and strengthening long-term cyber resilience, organizations can mitigate the cascading impacts of supply chain ransomware attacks.
Final Thoughts
The Cleo exploitation campaign is another stark example of how quickly ransomware groups like Cl0p can exploit critical vulnerabilities to disrupt organizations and their interconnected supply chains. By targeting tools that sit at the heart of business operations, Cl0p has shown once again that the impacts of these attacks are rarely limited to direct victims.
At Black Kite, we believe that speed, visibility, and actionable intelligence are key to minimizing risk in moments like these. The release of the Cleo File Transfer FocusTag™ and the Cleo Integration – Ransomware Risk FocusTag™ allowed our customers to take immediate action—internally patching vulnerabilities, identifying at-risk vendors, and prioritizing outreach campaigns.
These efforts are a testament to the collaborative work of the BRITE team, who identified and tracked this threat, and the Customer Success, Support, and Product and Development teams, who made this intelligence actionable for our customers.
While the Cleo vulnerabilities may dominate headlines today, the lesson for tomorrow is clear: Know your vendors. Know their dependencies. And act decisively when risk emerges.
The next wave of ransomware will come—it always does. Organizations that prioritize visibility, operationalize risk intelligence, and strengthen supply chain resilience will be the ones who weather it best.
Has your vacation ever been interrupted by a ransomware incident? Mine was.
It was Thanksgiving week, and I had promised myself a break—a chance to recharge, disconnect, and enjoy time with my family in Florida. For once, I left my laptop behind. That plan didn’t last long. One morning, while watching the sunrise, messages started pouring in: Blue Yonder, a key supply chain provider for major retailers like Starbucks and Sainsbury’s, had been hit by a ransomware attack.
Black Kite customers can see where Blue Yonder affects its nth-party vendors in our Supply Chain module.
As a TPRM professional, I knew what this meant—ripples of disruption across countless interconnected businesses. Even on vacation, there’s no “off button” when it comes to managing third-party risks. I immediately reached out to the Black Kite Research and Intelligence Team (BRITE) that I lead. From my phone, I watched our team spring into action. Within hours, we had developed and delivered actionable insights, helping our clients assess their exposure and understand the downstream risks.
This incident drove home a critical truth:
In today’s hyperconnected world, supply chain risk isn’t something you can leave behind—even on vacation. It’s about more managing vendors; it’s about having the tools and intelligence to act quickly when cascading risks emerge.
In this blog, we’ll dive into the Blue Yonder ransomware attack, the rise of groups like Termite, and why new ransomware groups keep appearing. More importantly, we’ll explore how you can stay one step ahead in managing third-party and supply chain risks—so you don’t lose sleep, or your vacation, over the next big breach.
What Happened: The Blue Yonder Ransomware Incident
It started with an attack highlighting the growing risks in supply chain dependencies. On November 21, 2024, Blue Yonder—a key supply chain provider for global brands like Starbucks, Sainsbury’s, and Morrisons—fell victim to a ransomware attack. The impact rippled quickly, disrupting services many businesses relied on to manage employee schedules, warehouse operations, and supply chain logistics. For some, the fallout meant immediate operational delays; for others, it meant grappling with manual workarounds as they scrambled to keep shelves stocked and orders moving.
The group behind the attack, known as Termite, claimed responsibility a few days later, boasting about exfiltrating 680GB of data. Their dark web blog would later confirm the data breach, listing everything from internal emails to sensitive insurance documents. For Blue Yonder’s clients, this wasn’t just a vendor issue—it was a business continuity crisis.
Meanwhile, our team at Black Kite moved quickly, leveraging our intelligence capabilities to identify impacted companies and guide them through their response.
Here’s how the incident unfolded:
November 21, 2024: Blue Yonder detected a ransomware attack targeting its managed services, disrupting key supply chain operations.
November 25, 2024: Media reports surfaced, revealing the widespread impact on businesses dependent on Blue Yonder.
November 27, 2024: Black Kite issued a FocusTag, providing customers with actionable intelligence to assess risks and engage with their vendors.
December 6, 2024: Termite published stolen data on their leak site, confirming the scale of the breach.
December 10, 2024: A vulnerability in Cleo file transfer software (CVE-2024-50623), linked to the attack, was disclosed. Black Kite issued another FocusTag to address this emerging risk.
The incident wasn’t just about Blue Yonder. It exposed how a single breach in the supply chain can snowball, impacting industries, businesses, and consumers alike. For those of us in the third-party risk management (TPRM) community, it’s a stark reminder:
Understanding your vendor relationships isn’t enough. You need to understand how their vulnerabilities can become your vulnerabilities.
This brings us to the bigger question: what does this mean for the TPRM and supply chain risk management community?
Why This Matters for the TPRM Community
The Blue Yonder ransomware attack exposed a crucial challenge for the TPRM community: understanding not just your vendors, but your vendors’ vendors. The ripple effects of this incident weren’t limited to companies directly relying on Blue Yonder’s supply chain solutions. Any organization whose third parties depended on Blue Yonder faced disruptions, even if they didn’t realize the connection beforehand.
This interconnected nature of modern supply chains creates risks that are often hidden until a breach occurs. Many organizations struggle with mapping these dependencies, leaving critical gaps in their risk management strategies. The Blue Yonder incident illustrates why knowing who is at risk is as important as knowing how the risk manifests.
Black Kite Supply Chain Module showing the concentration risk for Blue Yonder for a Black Kite customer.
For the TPRM community, this event highlights a few key lessons:
Supply Chain Depth Matters: Risk doesn’t stop at your direct vendors. Businesses need to look deeper into their supply chains to identify dependencies and assess potential exposure.
Hidden Vulnerabilities Multiply Risks: A vendor may seem low-risk on the surface, but its reliance on another compromised provider can bring unexpected consequences. The cascading nature of the Blue Yonder attack demonstrates how quickly these vulnerabilities can escalate.
Targeting the Supply Chain: Ransomware groups are increasingly focused on supply chains because of the widespread impact they can achieve. The more connected an ecosystem is, the greater the potential for disruption.
Understanding these layers of risk is no longer optional. It’s essential for protecting operations and mitigating the fallout of third-party incidents. While assessing direct vendors is critical, a comprehensive approach to supply chain risk must go further, examining the relationships and dependencies that sit just below the surface.
The question for the TPRM community isn’t whether your organization is prepared to respond—it’s whether you know where to look before the next attack lands.
Understanding the risk is only part of the equation. To truly prepare, we need to understand the attackers themselves—who they are, how they operate, and why new ransomware groups seem to emerge every other week.
The Rise of Termite: A New Player in the Ransomware Ecosystem
Who is the Termite Ransomware Group?
Termite is a relatively new player in the ransomware ecosystem, but their operations suggest a group with significant capability and intent. They’ve already targeted industries spanning logistics, manufacturing, retail, and public services, with victims reported across North America, Europe, and Asia. Their choice of targets reflects a deliberate focus on high-impact sectors, particularly those integral to supply chains.
Termite Ransomware Group’s dark web main page, showing the alleged victims.
Interestingly, Termite has publicly announced only seven victims on their dark web leak site. However, the true number of organizations affected remains unknown. Ransomware groups often withhold some victims from public disclosure, either because negotiations are ongoing or because the victims have paid the ransom. This lack of transparency leaves a significant gap in understanding the full scale of Termite’s impact.
Termite Ransomware Group’s dark web Support Page.
What sets Termite apart is their use of ransomware closely resembling the Babuk family. Babuk, infamous for its efficient encryption and focus on industrial and supply chain sectors, had its source code leaked in mid-2021. Elements of Babuk’s methodology have since surfaced in various ransomware operations, and Termite appears to have adopted and refined these techniques.
By leveraging Babuk’s leaked code, Termite has likely reduced their development overhead, allowing them to scale their operations more efficiently while avoiding significant technical pitfalls.
How They Operate: Insights into Termite’s Tactics
While Termite’s full operational methods remain under investigation, certain tactics have been observed or suggested by researchers:
Critical Vulnerabilities:
Termite has exploited CVE-2024-50623, a vulnerability in Cleo Harmony, VLTrader, and LexiCom. This flaw allows remote code execution through unrestricted file uploads, enabling attackers to place malicious files in the autorun directory for automatic execution. This vulnerability has been observed in attacks targeting industries heavily reliant on file transfer systems.
Indicators of Compromise (IoCs):
IoCs associated with Termite have been published on platforms like VirusTotal, highlighting suspicious files and network activity. These include patterns of encoded malicious payloads and reconnaissance tools used for privilege escalation and lateral movement.
IoC details on VirusTotal for Termite Ransomware.
Additionally, researchers have speculated about inaccessible or outdated Fortinet VPN servers playing a role in Termite’s targeting, but this remains unverified and should be interpreted cautiously.
By focusing on unpatched vulnerabilities in critical systems, Termite has shown a strategic approach to targeting organizations with exploitable weaknesses, amplifying their impact across supply chains and interconnected networks.
Analyzing the Victims: Patterns Behind the Targets
When we examined the organizations impacted by Termite, a clear pattern emerged. These weren’t random attacks—they were calculated, deliberate strikes against companies with visible weaknesses. While we can’t confirm the exact vulnerabilities exploited, the signs of trouble were there well before the ransomware hit.
What did we find? Three factors stood out:
Critical Vulnerabilities: ALL victims had critical vulnerabilities, including some listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. These are the kinds of vulnerabilities that make organizations stand out to attackers—visible, exploitable, and often overlooked.
Leaked Credentials: In almost every case, we found fresh credentials—leaked within the last 90 days—circulating on dark web forums. Attackers don’t need advanced tools when they can simply log in with exposed passwords.
Stealer Logs: Multiple victims were flagged in stealer logs, indicating malware infections that had already siphoned sensitive data like passwords, cookies, or session tokens. It’s like leaving the front door open in a neighborhood known for burglaries.
What this tells us is simple: these companies were sending the wrong signals to attackers. They didn’t just have vulnerabilities—they had vulnerabilities that attackers look for.
The Role of RSI: Turning Risk into Action
This is where the Ransomware Susceptibility Index (RSI) comes in. As one of the co-inventors of the methodology, I take great pride in how it helps organizations see what attackers see. RSI isn’t just a number—it’s a reflection of how attractive a company looks to a ransomware group.
RSI values of Termite Ransomware victims before they experienced the ransomware incident indicate they were “juicy targets.”
Ransomware, in general, is a rare event. Fewer than 10,000 companies worldwide have ever experienced a successful ransomware attack. That’s a tiny fraction when you consider the millions of businesses out there.
But here’s the catch: for certain companies, the odds are much higher. A high-impact company in a highly regulated industry located in a wealthy country and with visible weaknesses—what I like to call a “juicy target”—isn’t operating in the same reality as a well-fortified business. RSI captures this difference.
Power of RSI based on analysis over 4,700 ransomware victims and 250,000 non-victims.
When we talk to our customers, we emphasize that an RSI value of 0.4 is the critical threshold. Above that, the risk isn’t something you can ignore. It’s a warning sign, flashing like a beacon in the dark web where ransomware groups lurk looking for their next victim. In fact, nearly half of companies with an RSI above 0.8 become victims. In a world where ransomware is supposed to be rare, those numbers are staggering. They tell us that the risk isn’t random—it’s predictable. And the companies that don’t heed it? They’re the ones we often end up seeing in headlines.
This isn’t just a lesson for the companies impacted by Termite. It’s a lesson for anyone who thinks their risk ends at their firewalls. Understanding your vulnerabilities—and how they look to attackers—isn’t just smart; it’s necessary.
A Changing Ecosystem: The Proliferation of Ransomware Groups
One striking trend in the ransomware ecosystem is the rapid emergence of new groups. Every few weeks, a new group launches its dark web blog, often debuting with dozens of victims already listed. Termite is part of this wave.
This shift can be attributed to the collapse or rebranding of major groups like AlphV and LockBit. Some affiliates have pivoted to becoming operators themselves, while others may be remnants of older groups operating under new names. This churn creates instability in the ecosystem, but it also signals a growing sophistication among attackers. Groups like Termite are leveraging mature tactics—such as exploiting software vulnerabilities and maximizing supply chain impact—to establish themselves quickly.
Understanding this evolving ecosystem is critical for the TPRM community. It’s not just about tracking known ransomware groups—it’s about anticipating the next wave before it arrives.
How TPRM Professionals Should Respond
Events like the Blue Yonder ransomware attack highlight a key challenge in third-party risk management: the need for timely, actionable insights without overwhelming vendors. While asking questions is necessary, it’s equally important to recognize the burden vendors face when multiple clients demand answers during a crisis. A more proactive process using tools to identify potential risks and ransomware indicators and limit outreach to the most critical vendors help you to prioritize actions that will have the biggest impact.
Balancing the Need for Answers with Vendor Empathy
When incidents occur, vendors often receive identical questionnaires from several clients. This creates frustration, delays, and the potential for incomplete or rushed responses. To minimize this strain, TPRM professionals should focus on targeted, relevant questions and approach vendors with empathy. Acknowledging the challenges they face can lead to better collaboration and more accurate insights.
When reaching out to vendors, consider framing your questions with transparency and understanding:
“We understand you’re receiving inquiries from multiple clients during this challenging time. To help us assess any potential risks, could you share insights specific to your relationship with Blue Yonder?”
Key Questions to Ask
When reaching out to vendors, focus on gathering the most critical information to assess your exposure:
Have you used Blue Yonder’s services recently or currently? If so, which ones?
Have you experienced any disruptions related to Blue Yonder’s recent ransomware incident?
Have you conducted a review of your systems for Indicators of Compromise (IoCs) linked to the Blue Yonder attack?
What contingency measures are in place if Blue Yonder’s services are further disrupted?
Actions to Take When a Vendor Relies on Blue Yonder
If a vendor confirms reliance on Blue Yonder, consider the following steps:
Open Communication: Request regular updates about the vendor’s remediation efforts and the potential impact on your operations.
Collaborate on Mitigation: Work with the vendor to identify practical steps to reduce risks, such as reviewing affected systems or implementing additional controls.
Review Agreements: Examine contracts and SLAs to understand the vendor’s obligations during service disruptions and how they’re addressing them.
Encourage Contingency Planning: If not already in place, suggest backup plans or alternative solutions for services dependent on Blue Yonder.
Can We Be More Proactive?
Proactivity in TPRM is no longer a luxury; it’s a necessity. With tools like digital footprints, supply chain visibility maps, and third-party intelligence, TPRM professionals can identify potential risks before they become immediate threats.
For instance, instead of waiting for a vendor to disclose their relationship with Blue Yonder, professionals can use external intelligence to identify those connections proactively. By analyzing subdomains, IP address allocations, and other open-source data, you can create a clearer picture of your supply chain dependencies without relying solely on vendor responses.
Furthermore, proactive risk monitoring with methodologies like the Ransomware Susceptibility Index (RSI) can identify which vendors in your ecosystem are most at risk of ransomware attacks. This allows you to prioritize preemptive actions, such as targeted security reviews or recommending specific mitigations to vulnerable vendors.
In the end, visibility is key. You can’t secure what you can’t see, and understanding the web of relationships within your supply chain is essential for protecting your organization in a world where third-party incidents are becoming the norm.
Recognizing Questionnaire Fatigue
Proactive intelligence also reduces questionnaire fatigue on the vendor’s side. By knowing who is likely affected, you can limit outreach to only those vendors where risk is most apparent. This helps maintain trust and collaboration, ensuring that vendors don’t feel overwhelmed or undervalued.
The balance between asking questions and showing empathy is critical. Vendors are your partners in the supply chain, and their resilience is tied to yours. By taking a thoughtful, data-driven approach, TPRM professionals can build stronger relationships while protecting their organizations from cascading risks.
Operationalizing Intelligence: FocusTags for Blue Yonder and Cleo Vulnerability
Blue Yonder Client FocusTag™
When the Blue Yonder ransomware incident unfolded, the critical challenge for organizations was determining their exposure. Identifying whether vendors relied on Blue Yonder’s services—or were indirectly impacted—wasn’t always clear. To bridge this gap, we released the Blue Yonder Client FocusTag on November 27, just days after the incident entered the public domain.
Black Kite’s Blue Yonder Client FocusTag™ details.
How We Identified Blue Yonder Clients
To create the Blue Yonder FocusTag™, we relied on a comprehensive methodology rooted in publicly available information and open-source intelligence (OSINT). Our approach included:
Blue Yonder’s Own Website and Customer Testimonials:
We reviewed case studies, customer testimonials, and success stories published by Blue Yonder to identify companies explicitly listed as clients. These firsthand sources provided strong indicators of relationships with Blue Yonder’s services.
Cybersecurity News and Public Reports:
By analyzing industry-specific news and public reports about the Blue Yonder incident, we identified companies that were mentioned as impacted or associated with Blue Yonder’s services. Press releases and investigative journalism often provide critical clues in these scenarios.
Job Postings:
Job descriptions and postings from various companies mentioning Blue Yonder skills or systems were another valuable source. These postings often indicate active or recent use of Blue Yonder’s solutions.
Transparency Through Confidence Levels
We understand that no intelligence process is perfect, which is why transparency is at the heart of every FocusTag™. For the Blue Yonder Client FocusTag™, we provided a confidence level based on the strength and reliability of our sources:
Very High confidence when derived from direct evidence such as Blue Yonder’s own materials or official testimonials.
High confidence for cases where vendor relationships were inferred from multiple direct and indirect sources like news or job postings in high volume.
Medium confidence for cases where vendor relationships were inferred from indirect sources like news or job postings.
This transparency allows our customers to prioritize their actions based on the reliability of the information. By knowing how we reached our conclusions, customers can better align their response strategies.
How Customers Operationalized the Blue Yonder FocusTag™
The FocusTag™ gave our customers a head start in managing risks related to the Blue Yonder incident. Here’s how they operationalized it:
Targeted Vendor Outreach: By filtering monitored vendors tagged with the Blue Yonder FocusTag™, customers could prioritize outreach to those potentially impacted. The confidence level provided clarity, helping them decide where to focus their efforts first.
Initiating Outreach Campaigns with Black Kite Bridge: Many customers used Black Kite Bridge™ to streamline their communication with vendors identified as susceptible to the Blue Yonder incident. Through Bridge, they launched outreach campaigns directly from the platform, requesting information or actions related to risk mitigation. This simplified the process, reducing time and effort while ensuring consistent communication.
SOC Integration: Security Operations Centers (SOCs) used the FocusTag™ to identify potential risks in their networks, cross-referencing IoCs linked to the Blue Yonder attack.
Investigating Concentration Risk with the Supply Chain Module: Customers leveraged the Black Kite Supply Chain module to assess their overall risk exposure, identifying the concentration of dependencies on Blue Yonder across their vendor ecosystem. This added layer of analysis helped them understand the broader implications of the incident and prepare for potential cascading effects.
Risk Mitigation: Armed with evidence from the tag, customers engaged vendors to verify their exposure and implement mitigation measures.
Customer Feedback on the Blue Yonder FocusTag™
The response from customers was overwhelmingly positive. Many noted that the FocusTag™ provided actionable insights faster than the disclosures from Blue Yonder or the impacted vendors. One customer shared how the tag helped their SOC team discover potential risks in their network, while others appreciated the speed and clarity of the intelligence, allowing them to act with precision during a chaotic event.
The addition of tools like Black Kite BridgeTM and the Supply Chain module further enhanced their ability to respond effectively. Bridge streamlined outreach, allowing customers to communicate with vendors quickly and consistently. The Supply Chain module provided critical insights into systemic risks, helping customers not just react but plan for similar incidents in the future.
The feedback reinforced the importance of timely, precise intelligence in third-party risk management, especially during fast-moving incidents like this one.
Cleo File Transfer FocusTag™
Another critical risk emerged after the Blue Yonder incident: the vulnerability in Cleo Harmony, VLTrader, and LexiCom (CVE-2024-50623). Cleo’s prominence in supply chain operations made this flaw a significant threat. Researchers have also suggested that Termite might be actively exploiting this vulnerability, further elevating its risk profile. To address it, we released the Cleo File Transfer FocusTag™ on December 10, providing actionable intelligence to our customers.
Black Kite’s CLEO File Transfer FocusTag™ details.
Identifying Risk from the Cleo Vulnerability
We used open-source intelligence (OSINT) and digital footprint analysis to pinpoint companies potentially exposed to this vulnerability. By analyzing public-facing IT asset details, we identified over 2,000 assets running vulnerable versions of Cleo products. This level of specificity—down to the exact IT asset and version—elevated the confidence level of this FocusTag to Very High.
The intelligence drew parallels to the infamous MOVEit vulnerability exploited by the Cl0p ransomware group in 2023. Like MOVEit, Cleo’s vulnerability allowed unauthorized file uploads and remote code execution, making it an attractive target for sophisticated threat actors.
How Customers Use the Cleo File Transfer FocusTag™
The Cleo FocusTag™ equipped our customers with actionable intelligence, eliminating the need for traditional vendor questionnaires. Instead of asking vendors if they used Cleo products, customers could share detailed risk intelligence, including:
The specific IT assets and versions running Cleo software.
Recommended actions for immediate remediation, such as patching to the latest version or disabling autorun functionality.
This intelligence was appreciated not only by customers but also by their vendors, who now had a clear understanding of the risk and steps to address it.
Tracking Remediations with Black Kite BridgeTM
Black Kite Bridge™ further streamlined the remediation process. Customers used Bridge™ to:
Share Intelligence: Instead of sending questionnaires, customers shared detailed FocusTag™ intelligence with vendors, saving time and reducing vendor fatigue.
Monitor Progress: Bridge allowed customers to track remediation efforts, such as patching and configuration changes, without repeated follow-ups.
By removing the guesswork from vendor communications, Black Kite Bridge™ ensures a more efficient and collaborative approach to managing risks.
Behind the Scenes: Making Critical Intelligence Possible
As I reflect on the Blue Yonder incident and the subsequent Cleo vulnerability, I’m reminded of the incredible teamwork and dedication that went into delivering timely, actionable intelligence to our customers. This level of service—anticipating risks, providing precise insights, and enabling proactive measures—doesn’t happen by chance. It’s the result of a collective effort across multiple teams.
The Black Kite Research and Intelligence Team (BRITE) works tirelessly to analyze data, identify patterns, and craft FocusTags that offer clarity during uncertainty. Their expertise turns chaos into actionable insights.
But BRITE isn’t alone in this effort. Our Customer Success and Customer Support teams ensure that every customer has the guidance they need to operationalize this intelligence. Whether through Black Kite Bridge, the Supply Chain module, or one-on-one support, they help customers turn risk awareness into effective action.
The Black Kite Product and Development teams deserve equal credit. Their work makes tools like FocusTags, Bridge, and our digital footprint capabilities possible, allowing us to deliver intelligence with precision and confidence.
These incidents are a reminder of the complexity and interconnectedness of today’s supply chains. But they’re also a testament to what’s possible when we combine cutting-edge technology with human expertise. As ransomware groups evolve, so must we. And thanks to the efforts of everyone involved, our customers are better equipped to navigate these challenges and protect their businesses.
At Black Kite, we don’t just provide intelligence—we empower action. And in moments like these, I couldn’t be prouder of the team that makes it all possible.
Login
