A Trend Micro report reveals that 52% of global organizations have a supply chain partner that was hit by ransomware. Global organizations say they are increasingly at risk of ransomware compromise via their extensive supply chains. Out of 2,958 IT decision makers across 26 countries in North and South America, Europe, and APAC, 79% believe their partners and customers are making their organization a more attractive ransomware target, according to the latest research by Trend Micro. Fifty-two percent of the global organizations surveyed say they have a supply chain partner that has been hit by ransomware. Supply chain and other partners include providers of IT hardware, software and services, open-source code repositories, and non-digital suppliers ranging from law firms and accountants to building maintenance providers. They make for a web of interdependent organizations. “Supply chains are an attractive target because they can offer either a poorly defended access vector and/or an opportunity to multiply illicit profits by infecting many organizations through a single supplier,” the research report notes. An example of this is the compromise of IT management software provider Kaseya in 2021. Through a sophisticated attack, hackers exploited an internal software vulnerability to push out malicious updates to its managed service provider customers. They in turn infected downstream customers with ransomware. An estimated 1,500-2,000 organisations were impacted. Another example is the Log4j vulnerability that saw supply chains experiencing difficulties when it came to keeping track of and patching flaws. Firms are still facing problems as they are unable to comprehensively locate the presence of Log4j across their systems, due to complex software dependencies, according to the Trend Micro research. “Many DevOps teams use third-party components to accelerate time-to-market for their software. But these often introduce vulnerabilities or deliberately planted malware,” according to the research. The average application development project contains 49 vulnerabilities spanning 80 direct dependencies (components or services called directly by code), while 40% of bugs are found in indirect dependencies (essentially, dependencies of the direct dependencies), according to a recent report from the Linux Foundation.Transparency is key to supply chain security Supply chain security can be improved by increasing transparency around cyberrisk. However, only 47% of the organizations Trend Micro interviewed share knowledge about ransomware attacks with their suppliers and 25% don’t share potentially useful threat information with partners. “This could be because security teams don’t have information to share in the first place. Detection rates were worryingly low for ransomware activities,” according to the research. The detection rate of ransomware payloads is 63%—for data exfiltration it’s 49%; for initial access it’s 42%; and for lateral movement it’s 31%, according to the reoprt.Steps to mitigate ransomware riskMitigation of ransomware risk should start at the organization level. “This would also help to prevent a scenario in which suppliers are contacted about breaches to pressure their partner organizations into paying up,” according to the research. In the last three years, 67% of respondents who had been attacked experienced this kind of blackmail to force payment. While ransomware mitigation starts inside the firewall, the research suggests that it must then be extended to the wider supply chain to help reduce the risk from the third-party attack surface.One of the best practices to reduce risk is to gain a comprehensive understanding of the supply chain itself, as well as corresponding data flows, so that high-risk suppliers can be identified. “They should be regularly audited where possible against industry baseline standards. And similar checks should be enforced before onboarding new suppliers,” according to the research. Some of the other practices include scanning open-source components for vulnerabilities/malware before they are used and built into CI/CD (continuous integration/continuous delivery) pipelines, running XDR (extended detection and response) programs to spot and resolve threats before they can make an impact, running continuous risk-based patching and vulnerability management. Supply chain attacks increaseMeanwhile, other research shows that cyberattacks on supply chains are increasing. They increased by 51% during the period July to December 2021, according to a report from the NCC group research released in April. The study surveyed 1,400 cybersecurity decision makers and found that 36% believed that they are more responsible for preventing, detecting, and resolving supply chain attacks than their suppliers. The NCC research found that only one in three businesses surveyed were confident they can respond quickly and effectively to a supply chain attack. Of the organizations surveyed, 34% said they were being very resilient in case of such an attack. Related content news Administrator of ransomware operation LockBit named, charged, has assets frozen A Russian national alleged to have been the administrator of the notorious and prolific LockBit ransomware provider faces international charges. A $10-million reward for the suspect’s arrest has been offered. By Lucian Constantin May 07, 2024 3 mins Advanced Persistent Threats Hacker Groups Ransomware news US deploys commerce and communications against cyber threats, Blinken says The US government is moving to address the challenges of quantum computing, cloud strategies, and generative AI, Anthony Blinken said in a speech that was light on specifics. By Evan Schuman May 07, 2024 4 mins Cyberattacks Government Threat and Vulnerability Management news Change Healthcare went without cyber insurance before debilitating ransomware attack In doing so, Change exposed itself not just to greater financial risk, but reputational damage too. By John Leyden May 07, 2024 5 mins Data Breach Ransomware news Citrix quietly fixes a new critical vulnerability similar to Citrix Bleed Much similar to Citrix-Bleed, the information disclosure bug was identified within NetScaler devices configured as gateway or virtual servers. By Shweta Sharma May 07, 2024 3 mins Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe