Supply Chain Attacks
A Growing Threat Vector
Ransomware is no longer just an endpoint problem—it’s a supply chain crisis.
In 2024, attackers increasingly focused on third-party vendors, knowing that one compromised provider can disrupt dozens—or hundreds—of downstream organizations. These incidents, often called silent breaches, went unnoticed until their ripple effects halted operations across industries.
Why Supply Chain Attacks? Why Now?
The appeal is simple. Supply chain attacks offer scalability, deniability, and leverage. Instead of breaching a well-defended enterprise, attackers now exploit the weakest link in its vendor network—often a mid-sized provider handling critical functions like file transfers, software updates, or cloud data access.
Several factors drove this shift in 2024:
- Systemic vulnerability: Widely used tools like Cleo and Snowflake became entry points.
- Vendor opacity: Many organizations lack visibility into their third and fourth-party connections.
- Disruption over dollars: Even if ransom isn’t paid, the disruption itself creates value for threat actors.
What Supply Chain Attacks Look Like
According to Black Kite’s 2025 Third-Party Breach Report, The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024, ransomware was the most common known attack vector in third-party breaches, accounting for 66.7% of all analyzed incidents with clear attribution. These attacks are rarely isolated. One breach spreads through Nth-party connections, causing cascading delays, inventory disruptions, and patient care issues across the ecosystem.
“Silent breaches don’t announce themselves. You see them in missed shipments, delayed diagnoses, and angry customers. By then, the damage is already done.”
— Black Kite Third-Party Breach Report, 2025
Case Studies: The High Cost of Third-Party Disruption
CDK Global
In July 2024, CDK Global—a core software provider for the automotive industry—was hit with a $25M ransomware demand. The attack crippled 3,000+ car dealerships in the U.S., stalling inventory systems, delaying customer deliveries, and freezing CRM platforms. The attackers exploited weak segmentation and lack of threat detection to move laterally within CDK’s systems.
Lesson
Industry-specific providers are systemic risk points. Segment, monitor, and pressure-test your vendors.
Change Healthcare
A ransomware attack on Change Healthcare in February 2024 halted the flow of claims, lab results, and insurance authorizations across U.S. hospitals and providers. Attackers infiltrated via stolen credentials and missing MFA to remotely access a Change Healthcare Citrix portal, exposing data from over 100 million individuals.
Lesson
The deeper the vendor in your operational bloodstream, the more urgent the need for hardening and continuous monitoring.
Cleo
Clop’s exploitation of Cleo’s MFT tools paralyzed retail and logistics companies relying on its unpatched software. The two vulnerabilities—CVE-2024-50623 and CVE-2024-55956—enabled remote code execution and data exfiltration. (Read a deep dive of Clop’s Cleo campaign in the next section.)
Lesson
Patch management isn’t just your job—it’s your vendors’ job too. And your resilience depends on how seriously they take it.