Subscribe to the Non-Human & AI Identity Journal

Why do ransomware crews still rely on identity compromise instead of only malware?

Identity compromise is faster, quieter, and often more reliable than malware delivery alone. Once an attacker gets a trusted account, they can blend into normal administration, reach internal tools, and escalate through legitimate workflows. That is why IAM, PAM, and recovery process design are core ransomware controls, not secondary ones.

Why Identity Compromise Still Outperforms Malware for Ransomware Crews

Ransomware groups prefer identity compromise because a valid account is already trusted by the environment. That lets attackers use normal admin paths, remote management tools, and business workflows instead of fighting endpoint defenses with noisy malware. NHIMG research shows this is not theoretical: 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 97% of NHIs carry excessive privileges in the average estate, according to the Ultimate Guide to NHIs.

The practical advantage is speed. Identity theft shortens the attacker’s path from initial access to lateral movement, data theft, and backup destruction. It also reduces detection because legitimate sessions often resemble normal operations until the damage is already underway. That is why ransomware resilience depends on IAM, PAM, secrets hygiene, and recovery design, not just endpoint tooling. Guidance from CIS Controls v8 and threat reporting such as the ENISA Threat Landscape consistently points to identity misuse as a core intrusion path. In practice, many security teams discover this only after privileged access has already been used to disable recovery options and stage encryption.

How Ransomware Actors Use Trusted Access in Practice

Once an attacker has valid credentials, the operation usually becomes an identity abuse campaign rather than a malware campaign. The crew may harvest more secrets from email, ticketing systems, CI/CD, code repositories, or backup consoles, then use those credentials to expand access. Malware may still appear later, but often as the final payload after the environment has already been mapped and controls have been weakened.

Operationally, identity compromise works because many environments still assume that authentication means legitimacy. That assumption fails when a stolen account can impersonate an administrator, invoke remote tools, or approve changes through ordinary processes. A stronger model is to treat high-risk actions as conditional, not automatic:

  • Require phishing-resistant MFA for privileged and recovery paths.
  • Use PAM or just-in-time elevation so standing admin rights are minimized.
  • Rotate and scope secrets tightly, especially service accounts and API keys.
  • Monitor for unusual session chaining, backup access, and directory changes.
  • Protect recovery systems as separate trust zones, not as afterthoughts.

For identity-heavy environments, 52 NHI Breaches Analysis is useful because many intrusions begin with over-privileged non-human accounts that attackers can reuse silently. This is also why static access rules age badly: once credentials are stolen, pre-approved access can look entirely normal. These controls tend to break down in environments with long-lived service account passwords, weak vault hygiene, and shared administrative workflows because the attacker can inherit trust instead of bypassing it.

Where the Ransomware Model Breaks Down and What Teams Miss

Tighter identity controls often increase operational overhead, requiring organisations to balance rapid administration against the need to make compromise expensive. That tradeoff is real, especially in legacy estates where service accounts, backup tooling, and domain administration are tightly interwoven. Current guidance suggests that the highest-value improvements come from removing standing privilege, isolating recovery systems, and eliminating reusable secrets wherever possible.

There is no universal standard for every recovery design yet, but the pattern is clear: crews favor the easiest route through trust. If credential theft works, malware becomes optional. If PAM is bypassed, ransomware can use legitimate workflows to reach backups, hypervisors, and identity infrastructure. The problem is especially acute when secrets are stored outside vaults or when offboarding is weak, because stolen access may remain usable long after the initial breach. NHIMG reports that only 20% of organisations have formal processes for offboarding and revoking API keys, which explains why old access often survives into the incident window.

In mature programs, the answer is not to ignore malware but to make identity compromise less profitable: time-limit access, separate admin and recovery roles, and continuously validate who or what is acting. That is the same logic behind the Top 10 NHI Issues and why identity is now a first-class ransomware control surface rather than a supporting detail.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Stolen service-account secrets are a common ransomware entry path.
OWASP Agentic AI Top 10 Autonomous tool use mirrors attacker chaining through trusted workflows.
CSA MAESTRO Agentic governance overlaps with attacker abuse of delegated execution paths.
NIST CSF 2.0 PR.AC-1 Identity assurance and access control are central to ransomware defense.
NIST Zero Trust (SP 800-207) Zero trust reduces attacker use of trusted internal paths after credential theft.

Inventory NHI secrets, rotate them fast, and remove any long-lived credentials from ransomware-critical systems.