TL;DR

Ransomware and supply chain attacks are still hitting businesses through the same weak points: unmanaged vendors, exposed identity systems, delayed patching, and poor recovery planning. This week’s lesson for business owners is simple: your risk is not limited to your own network — your software suppliers, help desks, contact centres, and managed service providers can all become entry points.

Midweek threat update: why business owners should care

Cyber attacks are no longer just an IT problem or a “big company” problem. When ransomware disrupts payments, booking systems, logistics, payroll, or customer support, the business impact is immediate: lost revenue, regulatory exposure, angry customers, and expensive recovery.

The most useful question is not “could this happen to us?” It is “which part of our business would stop first if a supplier, cloud account, or admin login was compromised?” The incidents below show how ransomware crews and supply chain attackers are targeting the systems that keep businesses operating.

1. Change Healthcare: ransomware showed how one supplier can disrupt an entire sector

The Change Healthcare attack remains one of the clearest examples of business dependency risk. Change Healthcare, part of UnitedHealth Group, processes healthcare payments and claims across the United States. When the ALPHV/BlackCat ransomware group attacked the company in 2024, pharmacies, clinics, hospitals, and insurers were affected because the platform sat in the middle of everyday healthcare transactions.

The financial impact was severe. UnitedHealth disclosed that it paid a US$22 million ransom, and later reported that total costs from the incident could reach into the billions once response, recovery, loans to providers, and operational disruption were included. The attack also created real-world business continuity problems: providers had difficulty submitting claims, receiving payments, and checking patient eligibility.

How could it have been prevented? No single control guarantees prevention, but the basics mattered here: stronger multi-factor authentication, reduced remote access exposure, vendor segmentation, rehearsed downtime processes, and aggressive monitoring for identity compromise. For businesses, the lesson is not only “protect your systems.” It is “know which supplier outages would stop your cash flow.”

What your business should do differently this week:

  • List your top five critical suppliers: payment provider, payroll, CRM, booking system, IT provider, cloud platform, or sector-specific software.
  • Ask each supplier whether they enforce phishing-resistant MFA for administrators.
  • Confirm how you would operate for 72 hours if that supplier went offline.
  • Check whether cyber insurance, contracts, and incident response plans cover supplier-caused outages.
  • Create a manual workaround for invoicing, bookings, customer support, or order fulfilment.

2. CDK Global: ransomware disrupted car dealerships and exposed operational concentration risk

CDK Global, a major software provider to car dealerships, suffered a ransomware incident in 2024 that disrupted dealership management systems across North America. Dealers relying on CDK systems had to fall back to manual processes for sales, financing, service bookings, inventory, and customer communications.

Reports at the time said the company was preparing to pay tens of millions of dollars to restore operations, with Bloomberg reporting a ransom demand and payment discussion around US$25 million. Whether a business is a car dealership, accounting firm, clinic, builder, agency, or retailer, the pattern is the same: when one core platform goes down, revenue-generating work slows or stops.

This was a supply chain attack in practical business terms. The attacker did not need to compromise every dealership one by one. By hitting a central service provider, the blast radius expanded across thousands of dependent businesses.

How could it have been prevented? For the supplier, prevention would include network segmentation, privileged access management, endpoint detection and response, immutable backups, tested restoration, and continuous monitoring. For customers, prevention is more about resilience: knowing what data can be exported, whether offline processes exist, and whether the business can continue without the platform.

What your business should do differently this week:

  • Identify your “single point of failure” software platforms.
  • Export a current copy of critical operational data where legally and contractually permitted.
  • Test whether staff can complete one real transaction manually without the main platform.
  • Ask vendors about recovery time objectives, backup isolation, and breach notification timelines.
  • Restrict vendor remote access to named users, MFA, logging, and time-limited access.

3. MOVEit and managed file transfer attacks: patching delays still create business-wide exposure

The MOVEit Transfer compromise showed how quickly a software vulnerability can become a mass data breach. Attackers associated with the Cl0p ransomware/extortion group exploited a SQL injection vulnerability in Progress Software’s MOVEit Transfer product, tracked as CVE-2023-34362. The compromise affected government agencies, universities, financial services firms, law firms, pension providers, and many private companies.

This kind of incident matters because many businesses use file transfer tools to move sensitive information: payroll files, client documents, contracts, insurance data, HR records, invoices, and legal material. In a supply chain compromise, the victim may not even know their data is exposed until a vendor, law firm, payroll provider, or logistics partner discloses it.

The damage is not only technical. Businesses face customer notification costs, legal fees, regulator questions, contract disputes, and reputational harm. For smaller firms, a single sensitive data leak can consume management attention for weeks.

How could it have been prevented? Timely patching was essential, but not sufficient. Internet-facing file transfer systems should be treated as high-risk assets. They need asset ownership, vulnerability alerts, logging, web application controls, least-privilege service accounts, and data retention limits. If old files are not needed, they should not be sitting on a transfer server waiting to be stolen.

What your business should do differently this week:

  • Search for every internet-facing system your business owns or pays for.
  • Confirm who is responsible for patching each one.
  • Remove old files from portals, file transfer tools, shared drives, and client upload areas.
  • Subscribe to vendor security advisories for critical business software.
  • Review CISA Known Exploited Vulnerabilities and prioritise anything affecting exposed systems.

Practical recommendations for this week

Business owners do not need a 90-page cyber strategy to reduce risk this week. Start with five practical moves.

First, enforce MFA everywhere that matters, especially email, remote access, accounting, CRM, admin consoles, and vendor portals. If possible, use phishing-resistant MFA such as passkeys or hardware security keys for administrators.

Second, review backups. Backups should be offline or immutable, protected by separate credentials, and tested. A backup that has never been restored is only a hope, not a recovery plan.

Third, map supplier risk. You need to know which vendors hold sensitive data, which vendors can access your systems, and which vendors your business cannot operate without.

Fourth, reduce exposed attack surface. Shut down unused remote access, old portals, forgotten test systems, legacy VPNs, and public admin panels.

Fifth, rehearse one incident scenario. Pick a likely event, such as “our CRM is unavailable for three days” or “our payroll provider is breached,” and walk through who does what in the first hour.

FAQ

Ransomware usually involves attackers encrypting or stealing data and demanding payment. A supply chain attack targets a supplier, software product, service provider, or trusted third party so the impact spreads to that organisation’s customers.

Yes. Small businesses often depend heavily on large suppliers for payments, email, payroll, bookings, logistics, and customer records. If that supplier is disrupted or breached, your business may still face downtime, customer complaints, privacy obligations, and lost income.

No. Paying does not guarantee full recovery, deletion of stolen data, or protection from future extortion. Businesses should focus on prevention, offline backups, incident response planning, legal advice, and recovery capability before an attack happens.

Ask whether they enforce MFA, how quickly they patch critical vulnerabilities, whether backups are immutable, how they monitor privileged access, what their breach notification process is, and what recovery time they commit to in writing.

Conclusion

This week’s ransomware and supply chain lessons are practical: know your critical suppliers, secure identity, patch exposed systems, test backups, and prepare manual workarounds before you need them. The businesses that recover fastest are not always the biggest — they are the ones that know what can fail and have already rehearsed what to do next.

If you are unsure where your business is most exposed, start with a focused review of your critical systems, vendors, remote access, and backups. Visit consult.lil.business for a free cybersecurity assessment.

References

  1. ACSC — Ransomware: Prevention and protection
  2. NIST Cybersecurity Framework 2.0
  3. CISA Known Exploited Vulnerabilities Catalog
  4. NIST Cybersecurity Supply Chain Risk Management
  5. Progress MOVEit Transfer Critical Vulnerability CVE-2023-34362 Advisory

Verifier warning: verifier could not run (PluginLlmTrustError).

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation