One Vendor, 1,000 Victims

This report warns that ransomware groups increasingly target vendors and service providers to maximize impact, highlighting high-profile 2024–2025 incidents (PowerSchool, Change Healthcare, CDK Global) that exposed tens to hundreds of millions of records, caused widespread operational outages, and produced large ransom payments; it concludes with five actionable lessons—identify critical dependencies, demand evidence, plan for vendor failure, include vendors in tabletop exercises, and build independent recovery—to prepare organizations for continued supply-chain ransomware risk in 2026.