From Indicators to Intelligence

How to pinpoint Ransomware Risk with RSI™

Knowing who has been hit is useful. But knowing who's next is transformative.

If you want to understand how ransomware works, look at the victims. If you want to stop it, look at who’s next.

That’s the idea behind the Ransomware Susceptibility Index® (RSI™), a score that reflects the likelihood of an organization being on a ransomware group’s radar. Built by Black Kite’s Research & Intelligence Team (BRITE), RSI was introduced four years ago to help defenders think like attackers.

Ransomware groups don’t pick victims randomly. They weigh profitability, ease of access, geopolitical considerations, and even media visibility. RSI doesn’t just track misconfigurations or exposed ports. It reflects the ransomware mindset—how threat actors think, prioritize, and act. Since its launch four years ago, RSI has helped hundreds of risk and cybersecurity teams proactively identify vendors and business units that are most likely to appear on a ransomware group’s radar.

What RSI Measures:

RSI is a numerical score between 0.0 and 1.0, where a higher score represents greater susceptibility to a ransomware attack. But unlike traditional cyber risk metrics that focus solely on technical missteps, RSI is a composite score. It incorporates both:

Technical Indicators: Misconfigurations, exposed remote ports, exploitable vulnerabilities, stealer logs, leaked credentials, botnet activity, and more.

Intrinsic Risk Factors: Industry classification, geographic location, company size (revenue), and exposure history.

Black Kite’s Ransomware Susceptibility Index findings for a company show their likelihood of a ransomware attack and why.

Ransomware groups don’t need to know you to find you. They use automation, data leaks, and open-source scanning to identify low-friction, high-leverage targets. RSI is built on that logic.

Everything in this report—from industry targeting to supply chain attacks—is reflected in how RSI is constructed.

As an example, the Oracle Cloud breach in March 2025 showed alarming scores on Black Kite’s Ransomware Susceptibility Index and Data Breach Index peaked in October 2024, which gives Black Kite customers advanced warning of an attack.

The Power of RSI: Correlation That Shows Compromise

Ransomware is considered a rare event by cyber insurers—and statistically, that holds. With an estimated 7,000–10,000 successful ransomware attacks per year across millions of companies worldwide, the odds seem low.

But those odds change drastically when a company becomes visible to ransomware groups.

That’s what RSI captures. It’s not a broad guess—it’s a focused spotlight. When companies exhibit the combination of technical vulnerabilities and intrinsic traits that ransomware groups prey on, the likelihood of attack rises sharply:

  • 47.3% of companies with an RSI above 0.8 suffered a ransomware attack between April 2024 and March 2025.
  • 8.7% of those with RSI between 0.6–0.8 were hit.
  • Even in the 0.4–0.6 range, 5.7% experienced a breach.
  • Meanwhile, companies with low RSI values (<0.2) had 0.5% victimization.

This isn’t theoretical—it’s real-world probability, grounded in data from more than 5,700 confirmed ransomware victims and hundreds of thousands of non-victims.

It’s also important to note that only 0.82% of all monitored companies in the Black Kite platform had scores greater than 0.8. RSI is not inflated to increase predictive hits—it is highly selective by design. This is what makes RSI such a powerful signal: the group it flags is small, but the correlation is strong.

RSI doesn’t just measure risk—it filters signal from noise.

RSI Distribution for Victims and Non-Victims

This is why RSI has become an essential input for cyber insurers, vendor risk teams, and breach prevention workflows. It isolates the high-risk population—before the incident—and helps security teams take action while there’s still time.

When a score crosses a certain threshold, security teams take action. Some set automated alerts. Others build workflows around RSI spikes. For many, RSI is the early warning system they didn't have before.

It’s not just who is weak—it’s who is likely to get noticed.

RSI in Motion: Why Tracking Changes Matters

The average ransomware victim doesn’t just have a high RSI—they often show a pattern of increasing risk in the lead-up to an attack:

61% had a rising RSI trend in the 6 months before compromise

88% had a 10% spike within that same window

92% experienced at least a 5% RSI spike between consecutive months

This is why many Black Kite customers monitor RSI spikes—not just thresholds. Even small movements in RSI can indicate a shift in visibility or exposure that puts an organization on the radar.

Recent victim cases further reinforce the predictive strength of RSI. The two companies below were both hit by ransomware in March 2025. In the month prior to the attacks, both showed RSI values well above 0.6, with a clear upward trend—signals that they were already on the radar of ransomware groups.

RSI & DBI for Victim A – RSI: 0.708 in February 2025

RSI & DBI for Victim B – RSI: 0.655 in February 2025

These are not isolated cases. Our historical analysis shows similar RSI patterns before the vast majority of ransomware attacks. This real-time, trend-based insight is exactly why RSI has become an indispensable signal for proactive cyber risk management.

Calibrating RSI: Keeping Up With a Shifting Landscape

RSI is not a static score—it’s recalibrated each year to reflect how ransomware groups evolve. On March 15, 2025, we completed our most recent recalibration using:

Key updates include:

Industry-Level Adjustments

Healthcare saw a notable rise; manufacturing and professional services remained top targets. RSI now better reflects subindustry nuances.

Country-Based Adjustments

U.S., Canada, UK, and Israel’s risk coefficients were increased to reflect their growing share in victim counts.

Revenue Sensitivity

With large RaaS groups dismantled, ransomware targeting shifted toward smaller companies—particularly in the $4M–$10M range. RSI now places more weight on SMB vulnerability.

Despite these changes, over 50% of companies experienced less than 0.1 RSI shift, ensuring continuity for most risk programs.

Go behind the scenes and explore how the Ransomware Wars started with the demise of LockBit and AlphV.

PREVIOUS
NEXT