Cybercrime syndicates and ransomware are redefining enterprise risk

At a glance

What this is: This is a discussion of how cybercrime syndicates, ransomware, and third-party exposure are reshaping enterprise security priorities, with collaboration and MFA emerging as key defenses.

Why it matters: IAM practitioners should care because the same supply-chain, credential, and access governance weaknesses that enable ransomware also undermine NHI, autonomous, and human identity programmes.

By the numbers:

• The fact that 70% of malicious cyber activity is now financially motivated is a wake-up call for all of us.

👉 Read Arkose Labs’ conversation on cybercrime syndicates, ransomware, and MFA

Context

Financially motivated cybercrime has become a governance problem, not just a security problem. When attack ecosystems share tactics and services, the defensive burden shifts from isolated controls to identity, access, and supply-chain resilience across the programme.

That matters directly for IAM because ransomware, third-party compromise, and phishing all exploit the same trust boundaries that identity teams manage. MFA and third-party risk reviews are not adjacent controls here, they are part of the operating model that determines whether attackers can turn one foothold into broad access.

Key questions

Q: How should security teams reduce ransomware risk through identity controls?

A: Security teams should focus on the identities that can open the most paths, not just the ones that log in most often. That means tightening third-party access, removing standing privilege, using stronger MFA for high-risk accounts, and continuously reviewing which accounts can reach sensitive systems or data.

Q: Why do third-party connections make cybercrime harder to contain?

A: Third-party connections extend trust beyond the organisation’s direct control, which gives attackers more routes to reuse stolen credentials or approved access. If vendor accounts are not lifecycle-managed, a compromise can persist long enough for ransomware operators or extortion groups to move from entry to impact.

Q: What do teams get wrong about MFA in ransomware defence?

A: Teams often treat MFA as a complete answer when it is only one layer of protection. MFA can reduce account takeover, but it cannot stop privilege abuse, lateral movement, or data exfiltration after login. It works best when paired with least privilege, monitoring, and session controls.

Q: Who is accountable when a supplier account is used in an attack?

A: Accountability should sit with the business owner that approved the access, the identity team that governs the account, and the vendor management process that failed to revoke it. If the supplier path was never reviewed or offboarded, the governance failure is internal even when the attacker is external.

Technical breakdown

Why cybercrime-as-a-service changes the attack economics

Cybercrime-as-a-service lowers the skill threshold for attackers by packaging tooling, infrastructure, and expertise into reusable services. That means syndicates can move faster, test more variants, and share working playbooks across groups, which compresses defender reaction time. The consequence is not just more attacks, but more repeatable attacks that are easier to scale and harder to attribute. For identity teams, this matters because reused credential theft, phishing kits, and access brokerage all target the same identity control plane.

Practical implication: treat identity controls as a speed control, not just an access policy, because attackers now industrialise repeatable compromise paths.

How triple extortion exploits identity and data trust

Triple extortion combines encryption, data theft, and coercive follow-on pressure. The attacker is no longer relying on a single ransom event, but on multiple layers of leverage that increase the likelihood of payment and widen business disruption. Identity access becomes critical because initial compromise often starts with a stolen credential, a phished account, or weak third-party access. Once inside, the attacker seeks privileged reach, data movement, and the ability to pressure the victim through exposure and persistence.

Practical implication: map where a single identity compromise could enable both encryption impact and data exfiltration, then narrow that blast radius.

Why MFA and third-party risk are the same governance conversation

MFA reduces the success rate of account takeover, but it does not fully solve the governance problem if third parties, delegated access, or weak lifecycle controls remain in place. The article’s emphasis on rigorous third-party risk programs reflects a wider reality: attackers frequently enter through connected vendors, shared services, or exposed credentials rather than direct user login alone. IAM, PAM, and vendor access governance therefore have to be evaluated together, because the practical attack path often crosses all three.

Practical implication: review third-party access as part of identity governance, not as a separate procurement or security questionnaire exercise.

Threat narrative

Attacker objective: The attacker wants to monetise access through ransom payment, data theft, and sustained pressure on the victim to increase leverage.

1. Entry occurs through credentials, phishing, or third-party access that gives a criminal group a foothold in the environment.
2. Escalation follows when the attacker uses that foothold to reach privileged systems, move laterally, and stage data for theft or encryption.
3. Impact comes from ransomware execution, data exfiltration, and coercive extortion that multiplies business and reputational damage.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cybercrime syndicates have turned identity compromise into a repeatable business model. When attackers share tactics and sell services, identity exposure is no longer an isolated event but part of an industrialised pipeline. That changes how defenders should think about access governance, because a stolen credential is now immediately reusable by a broader market of operators. Practitioners should treat identity abuse as a scaled threat economy, not a one-off intrusion.

Triple extortion is a governance problem because it weaponises both access and data custody. The attack only works when the victim’s environment contains reachable identity paths into systems that matter and data paths that can be extracted or threatened. This is why account scope, vendor reach, and privileged path mapping matter as much as encryption recovery planning. Practitioners need to understand where access can become leverage.

Third-party access without lifecycle discipline is the control gap most attackers are exploiting. Vendor connectivity, shared administration, and delegated access create trusted paths that many organisations do not continuously reassess. That trust becomes brittle when credentials are not reviewed as a lifecycle asset. The implication is that access governance for suppliers must be treated as continuously revocable, not permanently inherited.

Cybercrime-as-a-service is forcing MFA and PAM teams to operate as one control surface. Phishing-resistant authentication matters, but so does limiting what an account can do after it is authenticated. Attackers increasingly care less about how they get in than about what the identity can reach once inside. Practitioners should align authentication strength with privilege containment and session oversight.

From our research:

• From our research: Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• That visibility gap is a reminder that third-party access governance and identity lifecycle discipline must move together, as explored in Top 10 NHI Issues.

What this signals

The practical signal for identity programmes is that ransomware readiness now depends on how quickly you can identify, constrain, and revoke the accounts that attackers are most likely to abuse first. In environments with heavy supplier access, identity teams should expect the containment problem to begin before the ransom note appears.

Identity leverage debt: every standing path, delegated account, and over-broad vendor permission increases the amount of organisational leverage an attacker can extract from a single compromise. That makes access review quality and offboarding discipline more important than another layer of detective tooling.

With only 1.5 out of 10 organisations highly confident in securing NHIs, the gap is not awareness but execution. Programmes that cannot see third-party and machine access clearly will keep absorbing the same attack patterns under different names.

For practitioners

• Harden third-party access lifecycles Inventory all external vendor, contractor, and service access paths, then tie each one to a named owner, expiry date, and revocation trigger. Revalidate those paths on a fixed cadence and after every relationship change.
• Reduce blast radius on privileged accounts Segment admin roles, remove standing access where possible, and require just enough privilege for the task at hand. Review whether the same account can reach authentication, backup, and production systems.
• Treat MFA as a floor, not a finish line Deploy stronger authentication for high-risk access, but pair it with device trust, conditional access, and monitoring for anomalous session behaviour. Reassess any pathway where MFA protects login but not downstream privilege misuse.
• Build ransomware scenarios into identity exercises Test whether identity teams can quickly cut access, freeze risky third-party paths, and identify the first accounts that would let an attacker move from initial compromise to data theft. Use those exercises to validate response handoffs.

Key takeaways

• Cybercrime syndicates now operate like a reusable attack ecosystem, which makes identity compromise faster to weaponise and harder to contain.
• The scale of the threat is operational, not theoretical, because financially motivated activity and triple extortion both depend on reachable identities and weak trust boundaries.
• The most effective response is tighter lifecycle governance for third-party access, reduced privilege scope, and MFA paired with containment controls.

Key terms

• Cybercrime-as-a-Service: A criminal delivery model where tools, infrastructure, and know-how are packaged for reuse by other attackers. It lowers the skill barrier and increases attack volume, which makes defence harder because the same techniques can appear across many groups and campaigns.
• Triple Extortion: A ransomware pattern that combines encryption, data theft, and additional pressure such as public exposure or threats against partners. It expands leverage beyond the initial ransom demand, which means recovery planning must address both availability and confidentiality impacts.
• Third-Party Risk: The exposure created when vendors, contractors, or other external parties connect to an organisation’s systems or data. In identity governance, this risk is managed through least privilege, lifecycle review, offboarding, and continuous visibility into delegated access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: an Arkose Accelerate conversation with Rachel Wilson on cybercrime syndicates, ransomware, and collaboration. Read the original.