Even as cybercriminals take aim at critical infrastructure, many of the United States’ top 100 federal contractors are inadequately prepared to repel ransomware attacks.
These were among the findings of a report from Black Kite, which assessed the cybersecurity risk posture of U.S. defense contractors and found 20% of the country’s largest 100 contractors were highly susceptible to a ransomware attack.
The study found 42% of defense contractors have had at least one compromised credential within the past 90 days, and 40 contractors received an “F” grade in credential management.
Overall, the top 100 federal contractors averaged a “ransomware susceptibility index” score of 0.39, but 20% scored above the critical threshold of 0.6, according to the report.
Crossing the Threshold
By comparison, earlier Black Kite reports showed that 10% of pharmaceutical manufacturers and 49% of automobile manufacturers were above what Black Kite considered a critical threshold, indicating they were highly susceptible to ransomware attacks.
“We’re continuing to see the exact same issues pop up through industries—issues that should be addressed by basic cybersecurity hygiene,” said Bob Maley, chief security officer at Black Kite. “These are defense contractors that should be taking advice from the Department of Homeland Security. The attack vectors for ransomware aren’t new.”
He pointed out that Homeland Security has been issuing alerts on what people should be doing to protect themselves in these particular areas over the past decade.
“So, it’s not that bad actors are finding new things to exploit to make ransomware effective,” he said. “They’re exploiting issues that have been around for a long time that people just aren’t paying attention to.”
Maley explained there is no single category of malicious actor perpetuating threats against federal contractors: Generally speaking, the types of actors that are a threat here are the people that may not necessarily target defense contractors specifically because they may not even know that they are doing so.
“They’re bad actors that will target a company that is vulnerable and that looks like they have enough financials to…