May was not a good month for Latvian national Deniss Zolotarjovs. The US Department of Justice secured a 102-month sentence against him for his role in Russian ransomware gang Karakurt.
The case revealed that members of Karakurt had been using Russian government databases to intimidate corporate victims and screen their own recruits. This criminal network had also disrupted US 911 emergency dispatch services and extracted at least $15 million in ransoms from more than 54 named victim companies.
This criminal enterprise is an example of a growing problem that corporate security teams cannot solve in isolation. Resilience planning that still treats the threat as an IT department problem is planning for the wrong adversary and underestimating the scope of the problem.
Who’s Involved
Companies must change the actor profile that they have been building continuity plans for. These groups don’t just operate internationally; they operate with state cooperation.
In 2024 the US Treasury Department had already sanctioned ransomware group Trickbot for alleged ties to Russian intelligence. Trickbot spawned several other groups, including Conti, which in turn led to the creation of Karakurt. So, the sanctions for Trickbot’s leaders carry through indirectly to Karakurt.
The May prosecution turned what had been characterized as passive state tolerance into evidence of direct operational support. Karakurt paid bribes to exempt members from compulsory Russian military service and channeled corruption into the state apparatus to keep its operation running.
For organizations headquartered in jurisdictions Moscow views as adversarial, the practical consequence is that the threat actor on the other side of the table behaves less like organized crime than like a quasi-contracted instrument of state policy.
Where It Starts
Improving ransomware resilience also means reconsidering where the breach actually starts. Security Scorecard’s 2025 review of 1,000 breaches found that 41.4% of ransomware attacks now begin through third-party access through vendor vulnerabilities, and that 35.5% of all breaches in 2024 had a third-party component.
The European response treats the corporate perimeter as something that ends with the weakest contracted vendor: NIS2 explicitly extends cybersecurity obligations to “a much wider ecosystem of third-party vendors, suppliers, and digital service providers” supporting critical activities across the bloc.
A procurement contract is now a regulated security artefact in a way it was not three years ago, and most multinationals’ supplier-onboarding processes have been calibrated to a much less interconnected version of the risk.
Where It Ends
Breaches no longer end at IT infrastructure; they’re affecting enterprise operations. The 2021 Colonial Pipeline attack forced an operational shutdown that disrupted the supply of roughly 45% of the fuel consumed along the US East Coast and triggered a federal emergency declaration.
Asahi Group’s September 2025 ransomware incident illustrated the same dynamic at a different scale. Factory floors were not technically infected, yet up to 30 domestic plants stopped producing because the IT systems coordinating orders, logistics, and interdependent supply chains were down.
The lesson from Asaha Group is structural rather than technical: in highly digitized operations, an IT compromise propagates directly into the physical operating model. The more an organization has optimized its processes for efficiency the wider the blast radius tends to be.
What Resilience Actually Means Now
The Karakurt prosecution highlights a level and scope of geopolitical risk that is difficult for ordinary cyber insurance models to price. The Colonial and Asahi cases make clear that the operating model itself is the attack surface. Treating ransomware as an enterprise resilience problem rather than a security control problem is now the lowest bar the regulatory and threat environment requires.
The institutions writing the new rules have started to describe resilience in language that boards, not CISOs, will act on. This covers governance, supplier oversight, business continuity, and the assumption that a breach will eventually arrive through a vendor the company does not control.
The standards that already exist do most of the translation. ISO 27001’s 2022 revision is the clearest case, because it rewrote its supplier controls around exactly the third-party exposure Security Scorecard’s numbers describe. Controls A.5.19 to A.5.23 make a business document who has access to what and write those security obligations into supplier agreements.
These controls push the same scrutiny down the ICT supply chain to the cloud services and sub-processors that onboarding checks don’t always reach. It turns the weakest-vendor perimeter into something a company can audit.
ISO 22301 does the parallel job for continuity. It demands a business impact analysis and tested recovery objectives rather than faith that systems will come back, which is the gap the Asahi shutdown exposed.
This is all good practice, but NIS2 converts much of it into legal duty. Its article 21 names supply-chain security as a specific obligation, not a recommendation.
Choosing a framework is the easy part. The work is keeping dozens of overlapping controls, supplier assessments and continuity tests current across an organization whose perimeter runs through vendors it doesn’t fully control.
Using a unified platform to map one set of evidence against ISO 27001, ISO 22301 and NIS2 at once untangles and articulates supplier risk, providing an audit trail in a state a board can digest and act on before an incident rather than afterwards. Ransomware resilience stops being a binder somebody updates post-breach and becomes something the C-suite can prove.
Expand Your Knowledge
Blog: Cybercrime Vs Geopolitics: How Ransomware Is Becoming A Geopolitical Tool
Blog: Phishing for Trouble S02 E05: You’re Compliant. Are You Resilient?
