Your Ransomware Fatigue Is Leaving the Back Door Open
INTRODUCTION
Ransomware, ransomware, ransomware.
It’s starting to sound like the cybersecurity version of “Marcia, Marcia, Marcia,” the Brady Bunch sister who absorbed the most attention.
CISOs are worn down by the repetition. We’ve been talking about ransomware for so long that many security leaders are starting to tune it out—not because the threat isn’t real, but because the messaging has lost its punch. It’s become white noise. Another recycled headline. Another panel session with the same talking points.
But just because we’re tired of talking about ransomware doesn’t mean ransomware is tired of targeting us. Our 2025 Ransomware Report found that the threat has evolved, and attacks are now hitting organizations where they’re most exposed: through third parties.
Ransomware Fatigue Is Real—And Risky
It’s not surprising that CISOs are tired of hearing about ransomware. The industry has been pounding the same drum for years. The fatigue doesn’t signal indifference—it signals desensitization. Like a strong smell that fades the longer you're exposed to it, the constant warnings have dulled our senses. The threat has lingered in the background so long that many security leaders have subconsciously tuned it out.
Part of the problem is that many CISOs have convinced themselves they’ve done enough. Their teams have implemented the right controls—patching, MFA, backups, the usual checklist. Vendors have promised silver bullet solutions—often powered by AI—that claim to make ransomware “go away.” Add to all of this the false sense of relief that came with the high-profile takedowns of groups like LockBit and AlphV, and it’s easy to see how some organizations might feel like the worst is behind us.
But while attention is waning, threat actors are finding easier entry points—through your supply chain.
In 2024, there were over 6,000 publicly disclosed ransomware victims—a 24% increase over the previous year. There are now 96 active ransomware groups, more than half of which are brand new. Ransomware operators didn’t vanish—they reorganized and rebranded. What we’re seeing now is a ransomware landscape that’s more fragmented, less coordinated, and wildly unpredictable. And increasingly, attackers are finding new ways in.
The New Target: Small and Mid-Sized Vendors
Big-name breaches still make headlines, but attackers are now targeting the vendors behind the scenes that are deeply embedded in the supply chain.
Nearly 70% of third-party breaches last year involved ransomware, and attackers are increasingly zeroing in on small and mid-sized companies. Our research found that 49% of all ransomware attacks over the past year were aimed at companies with annual revenues under $20 million, with a particular concentration of those (52%) in the $4 to $8 million range. These vendors often operate with lean IT teams and limited security budgets, leaving critical systems exposed. They're also more likely to pay quietly to avoid downtime or reputational damage.
For ransomware groups, it’s a low-effort, low-risk, high-reward formula. And the damage doesn’t stop with one victim. When a vendor is compromised, the impact ripples far beyond the initial target.
One Weak Link Can Cascade Quickly
We saw this play out with Knights of Old, a 158-year-old British logistics company that collapsed after it was hit by a ransomware attack. Upstream and downstream businesses were left waiting for the company’s trucks—shipments of raw materials, parts, and consumer goods—that never arrived. It wasn’t just one company that suffered—the attack impacted all the businesses that relied on the logistics company to keep their operations running.
That’s the risk of ransomware in the modern supply chain. One weak link can lead to cascading failures across entire industries.
It’s a pattern we’ve seen repeat with attacks involving CDK, Cleo, and Change Healthcare. When these companies were attacked, they didn’t just suffer their own financial and reputational losses—they disrupted thousands of other businesses. Sales were lost. Shipments were delayed. Patients couldn’t get prescriptions filled. These weren’t just “third-party breaches,” they set off domino effects that hit everyone down the line.
An attack doesn’t need to hit your front door to bring your house down. You might have robust defenses and a perfect security posture. But it’s almost guaranteed that all of your third parties don’t. And in today’s ransomware environment, that’s what you need to watch out for.
What CISOs Should Do Now
Since the biggest risks often now live outside your walls, CISOs need to shift their focus outward. Here are two actions that can help:
Monitor beyond your perimeter
You’ve likely invested heavily in hardening your internal systems, but that’s only part of the picture. In an interconnected third-party ecosystem, your next breach might come from a vendor with five employees and no security lead.
Too many organizations still rely on point-in-time assessments: security questionnaires, and static risk scores. These approaches are inherently limited. They don’t reflect real-time shifts in exposure or account for the rapidly evolving tactics of ransomware groups.
That’s why continuous monitoring is essential. Black Kite’s Ransomware Susceptibility Index® (RSI™) provides a real-time view into third-party risk, helping security teams proactively identify vendors that are most likely to appear on a ransomware group’s radar. Rated on a scale from 0 to 1.0, organizations with an RSI above 0.8 are 96 times more likely to have suffered a ransomware attack than those scoring below 0.2.
Fatigue sets in when we feel like we’re reacting to everything and solving nothing. Proactive third-party risk management changes that, helping you identify, prioritize, and remediate potential vulnerabilities before they disrupt your operations.
Speak the language of the business
Ransomware fatigue isn’t just about hearing the same message on repeat. It’s a sign we’re not explaining the risk in a way that resonates.
I recently spoke with a CEO friend, who said he was worried about ransomware. But when I dug further, he couldn’t articulate why. He knew it was a threat, but not what it meant for his business. That disconnect is still too common, and it creates a feedback loop that wears everyone down.
CISOs understand the technical risks, but until they translate those into business terms, they will continue to get the same questions from their CEO: What does this mean for us? Should we be worried? How much could this cost us? Those repeated conversations add to the fatigue because we’re stuck in a cycle where leadership is concerned but not equipped to make decisions.
With cyber risk quantification (CRQ), CISOs can put tangible numbers behind the risk. Instead of saying “this might be bad,” you can say, “this supplier getting hit could cost us $12M in revenue.” That reframes cybersecurity as a business risk, making it easier for executives to engage.
CRQ strengthens your position when requesting budget, negotiating with vendors, or making the case for prioritization. When you can show leadership how cyber risk maps to business impact—whether it be downtime, financial loss, or reputational damage—they’re far more likely to buy in and commit the resources needed.
Complacency Is the Attacker’s Best Friend
Ransomware fatigue is real, but it also serves as a warning sign. It tells us that the way we’re communicating about and managing cyber risk isn’t working. When every headline sounds the same and every alert feels like background noise, critical threats can get lost in the shuffle.
Security leaders don’t need more noise—they need sharper focus. That means knowing where you're exposed through third parties, understanding which risks actually matter, and being able to show what’s at stake in business terms.
Talking about ransomware might sound like a broken record, but that’s exactly what makes it so dangerous. The moment we stop paying attention is the moment attackers get what they want. Fatigue breeds complacency—and complacency is what keeps the door wide open.
Ready to turn fatigue into action? Read the full 2025 Ransomware Report to learn how attackers are shifting tactics and see how RSI™ can help you spot risk before it hits.