Methodology of the Report

1. Data Sources and Scope

This report integrates various intelligence streams collected and curated by the Black Kite Research Group between October 31, 2024, and October 31, 2025. The ransomware-related data includes only publicly disclosed attacks that have been attributed to a known ransomware group.

All technical findings and risk analyses in the report are derived from the Black Kite platform's proprietary telemetry and publicly available information. This data is supplemented by intelligence gathered from surface, deep, and dark web sources. External resources, such as the CISA Known Exploited Vulnerabilities (KEV) Catalog, were also incorporated into the analysis process.

2. Industry Classification and Sample Selection

To ensure analytical consistency, industry classifications were aligned with NAICS (North American Industry Classification System) codes. The analysis was structured around three interconnected datasets:

• Dataset 1 (The Victim): A total of 636 publicly disclosed ransomware victims (400 Wholesale, 236 Retail) to establish attacker strategies and victim posture.
• Dataset 2 (The Current Posture): A total of 840 large-scale companies (614 Retail, 226 Wholesale) to assess cyber hygiene and weakness across non-victimized major players. The primary criterion for this sample was that companies have annual revenues exceeding $1 billion.
• Dataset 3 (The Future Risk): Based on Black Kite’s Supply Chain data, a total of 2,620 critical supply chain vendors connected to the major Retail and Wholesale organizations.

3. Risk Posture Analysis

For each company analyzed in Datasets 2 and 3, the Black Kite platform was used to assess the organization's cybersecurity posture using an external, non-intrusive method. This analysis provides an attacker's view of each company's attack surface, vulnerabilities, and overall risk levels, enabling a comparative analysis of factors like ransomware susceptibility (RSI).

4. Data Standardization and Integrity Controls

To ensure data consistency and prevent the inflation of figures, a standard incident counting methodology was applied. For example, attacks targeting a holding company or its multiple subsidiaries, if understood to be a single campaign, were counted as a single incident unless distinct disclosures existed. This approach ensures a more accurate reflection of the true scale of attacks.

5. Technical Ratings Explained

The Black Kite Technical Rating ranges from 0 to 100 and covers 19 risk categories. Scores are also translated into letter grades for clarity:

• A (Excellent): 90–100
• B (Good): 80–89
• C (Fair): 70–79
• D (Poor): 60–69
• F (Failing): 0–59

6. Limitations

This report reflects only publicly disclosed ransomware incidents and externally observable risk indicators. Many breaches, especially those involving smaller organizations or those resolved discreetly, go unreported. Consequently, the findings in this report represent a conservative lower bound of the systemic third-party risk exposure in the Retail and Wholesale sector. Furthermore, as the analysis is based on an external perspective, the internal security controls and policies of the companies are outside the scope of this assessment