Ransomware has evolved from “someone encrypted our files” to major disruptions to operations and client service impacting the entire organization. These events can come from attacks against the organization itself as well as  service providers and other critical third parties.  Further, threat actors are now routinely specifically targeting backups to force ransom payments rather than restoration. Over the past 12 months we have seen multiple instances of suppliers, Managed Service Providers (MSP), and widely used enterprise software cause supply chain disruptions, both downstream and up. 

A single event can have an impact which ranges far wider than the initial organization.

What the past year proved and why it matters

• Ingram Micro (July 2025) reported a ransomware attack that compromised internal systems. The company proactively took systems offline for containment and eradication, disrupting ordering and downstream operations for thousands of customers and partners. The SafePay ransomware group was attributed to the attack, which was traced to compromised VPN credentials. Ingram Micro
• Marks & Spencer (April 2025) experienced a cyber incident estimated to cost approximately £300M in operating profit, roughly one-third of the retailer's annual operating profit. Attackers used social engineering to manipulate a third-party contractor's IT helpdesk into resetting credentials, a textbook "trusted relationship" abuse. The resulting ransomware attack disrupted both online and in-store sales for weeks, not days, forcing the company to revert to manual processes for stock management. CNBC
• CISA (June 2025) warned organizations that ransomware actors were exploiting an unpatched path traversal vulnerability (CVE-2024-57727) in SimpleHelp Remote Monitoring and Management software to compromise downstream customers. A single vulnerability in a widely deployed RMM tool opened the door to global impact through managed service providers. CISA
• Google Threat Intelligence (Oct 2025) described a large-scale extortion campaign by the Cl0p group exploiting Oracle E-Business Suite vulnerabilities, including a zero-day (CVE-2025-61882). Active intrusions were observed before a patch was available for the zero-day, and hundreds of organizations had also failed to apply patches released in July 2025 that addressed related vulnerabilities. Google Cloud
• Veeam Backup and Replication Services (March 2026) disclosed multiple critical remote code execution vulnerabilities (CVSS 9.9) that allow authenticated users to execute code on backup servers and manipulate backup repositories. Ransomware groups including FIN7, Cuba, and others have a documented history of targeting Veeam infrastructure to destroy backups before deploying ransomware, making these vulnerabilities particularly dangerous. NIST CVE Database.

The pattern reinforces the message: vendor and third-party risk management is critical to understanding the threats your organization faces. Traditional backup solutions may not be sufficient against a sophisticated, targeted attack.

Controls that Help: 

1) Robust backup + disaster recovery (immutable, isolated, proven)

What “good” looks like:

• Immutable backups for sensitive datasets so attackers can’t delete or encrypt them even with elevated credentials.
• Restore testing on a schedule that matches business tolerance, at least annually.
• Vendor requirement: Require vendors that transmit, store, or process your sensitive data provide evidence of their recovery capability.

2) Monitor supply chain and third parties for vulnerabilities 

Best practices include:

• Monitor internet-exposed technologies and service providers for exploits and alerts, particularly those used for remote access and administrator access.  The SimpleHelp advisory from CISA is a clear reminder compromised “legit tools” can be used in an attack.
• Enforce time-bound access for third-party vendors, only activate their accounts when they are needed and disable them directly after. Apply least-privilege on the accounts to restrict the account to required systems.  
• Validate controls with evidence, not promises. Ask service providers for their SOC 2 or other evidence verifying their security commitments.

3) Train employees to recognize phishing and malicious attachments

Your people are your last line of defense:

Most ransomware attacks still start with someone clicking on something, opening an attachment, or getting tricked into providing their credentials.

Focus security awareness training in the following areas:

• Train employees to spot and report phishing emails – fake invoice, share-document scams, vendor impersonations, and the ever-popular gift card scam.
• Build a culture where staff report immediately if “they may have clicked on something”. Response time matters.
• Invest extra training time with anyone who processes or approves payments, or who holds privileged access user accounts. They are prime targets.

4) Security Protective Controls

The best way to deal with a ransomware attack is to block it.

Some security protective controls to keep the bad guys out:

• Endpoint security controls – robust Endpoint Detection and Response (EDR) solutions to block and detect attacks at the workstation.
• Multi-Factor Authentication – a must-have for all remote access and highly recommended for all privileged user accounts (e.g., administrators) access.
• Vulnerability Management – regular vulnerability scans coupled with the patch management program goes a long way to making sure the organization is not an easy target.

5) Train Like You Fight – Ransomware Attack Planning and Practice Runs

Ransomware requires making business decisions (e.g., operations, legal, finance, HR, public relations, etc.) during a crisis. Developing detailed plans and doing annual table-top exercises will reduce the stress levels during the crisis. Marks & Spencer’s financial impact is an example of business, financial, and reputation impact.

Planning and Practice:

• Develop robust incident response and disaster recovery plans supported by a business impact analysis. Document playbooks covering recovering from data encryption, data theft, and extortion. Link the plans to the business continuity plan in case of extended disruption.
• Conduct annual tabletop exercises for IT and business leaders together – most of the tough decisions will be business decisions. Run scenarios involving key suppliers or service providers, backups are damaged, and where extortion pressure includes data release threats.

Bottom Line (TLDR):

• Monitor vendors throughout the year.
• Backups need to be immutable and actively test recovery.
• Train the staff.
• Conduct annual tabletop exercises with business and IT leaders.

RubinBrown Cyber Security and IT Consulting Services teams are dedicated to helping organizations identify risks, strengthen defenses, and build lasting cybersecurity resilience through proactive strategy, education, and technical expertise.

 

Published: 04/21/2026

_{^{Readers should not act upon information presented without individual professional consultation.}}

_{^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}}