By NHI Mgmt Group Editorial TeamPublished 2026-01-20Domain: Breaches & IncidentsSource: Elisity

TL;DR: Black Basta, Akira, and LockBit all depend on lateral movement to turn one compromised endpoint into enterprise-wide disruption, with IBM reporting a $4.88 million average breach cost and 292 days to identify and contain credential theft cases. The defensive question is no longer detection at the perimeter, but whether identity, segmentation, and privileged access controls can stop east-west spread before critical systems are reached.


At a glance

What this is: This is an analysis of how ransomware groups use lateral movement to expand one foothold into broad operational disruption, and why identity-based containment is the decisive control point.

Why it matters: It matters because IAM, PAM, and segmentation teams have to limit east-west reach, not just stop initial access, if they want to protect domain controllers, backup systems, and operational infrastructure.

By the numbers:

👉 Read Elisity's analysis of how to stop ransomware lateral movement


Context

Lateral movement is the phase where an attacker pivots from one compromised system to other internal assets using trusted credentials, administrative protocols, or legitimate tools. In ransomware cases, that phase determines whether the incident stays local or becomes an enterprise-wide outage, which is why lateral movement is now a core identity and containment problem rather than a pure network problem.

For identity teams, the issue is not only who can authenticate, but what that authenticated identity can reach next. Once privileged access, remote administration paths, and flat trust relationships overlap, ransomware operators can move from user endpoints to domain controllers, backup infrastructure, and virtualisation management planes before defenders have a clean containment point.


Key questions

Q: What breaks when ransomware can move laterally after one endpoint is compromised?

A: Containment breaks, because one compromised identity can reach the systems that keep the business running. If user networks, management planes, and recovery infrastructure are not separated, attackers can pivot from a single host into domain controllers, backups, and virtualization layers before defenders can isolate the incident.

Q: Why do standing privileged accounts increase lateral movement risk?

A: Standing privilege gives attackers reusable access paths once they capture credentials or a remote session. That matters because ransomware crews do not need to break every control again if the same identity can reach multiple systems through RDP, SMB, WMI, or remote support tooling.

Q: How do security teams know whether segmentation is actually limiting ransomware spread?

A: Test whether a compromised workstation can reach high-value assets without an approved jump host or management network. If the answer is yes, segmentation is not enforcing blast-radius limits. A good signal is when privileged routes are explicit, narrow, and monitored for every administrative session.

Q: Who is accountable when ransomware spreads through internal trust relationships?

A: Accountability sits across IAM, PAM, network engineering, and platform owners, because the failure is cross-domain. NIST SP 800-53 Rev 5 and the NIST Cybersecurity Framework both require access control and protective architecture that reduce blast radius, while operational teams must prove those controls are enforced.


Technical breakdown

How ransomware operators turn valid access into east-west spread

Lateral movement usually starts after an initial foothold, then relies on stolen credentials, remote administration protocols, and trusted internal connectivity to expand reach. Common techniques include RDP for interactive control, SMB for file staging and remote execution, WMI for remote command launch, and PsExec for rapid deployment across multiple endpoints. Attackers often blend in by using legitimate tools such as remote access software and tunnelling services, which makes the activity look like normal administration unless identity, protocol, and destination patterns are monitored together.

Practical implication: Restrict administrative protocols to approved pathways and correlate identity, tool, and destination telemetry to expose abnormal east-west behaviour.

Why identity-based microsegmentation matters more than perimeter trust

Traditional network design assumes internal traffic is trusted once an endpoint is inside the environment. Ransomware groups exploit that assumption by moving through file servers, backup systems, and management planes without needing to defeat perimeter controls again. Identity-based microsegmentation changes the enforcement model from location-based trust to identity and asset-based policy, so an authenticated session still cannot reach critical systems unless it is explicitly allowed. That is the main reason segmentation is now a blast-radius control, not just a network hygiene exercise.

Practical implication: Map privileged pathways to specific asset tiers and deny lateral reach by default, especially toward domain controllers, backups, and virtualisation platforms.

How privileged access and JIT provisioning reduce ransomware spread

Privileged access management matters because ransomware operators look for the accounts that can move fastest and reach the most systems. Just-in-time provisioning shortens the exposure window by making elevated access temporary and task-scoped rather than persistent. When paired with phishing-resistant MFA and continuous verification, JIT reduces the value of stolen administrative credentials and makes credential reuse harder during an active intrusion. The control objective is not only to stop privilege escalation, but to prevent a compromised session from becoming a reusable launching point for lateral movement.

Practical implication: Remove standing administrative access where possible and force high-risk actions through time-bound, audited elevation with continuous verification.


Threat narrative

Attacker objective: The attacker wants to turn one compromised endpoint into broad operational paralysis by reaching the systems that let ransomware spread, persist, and destroy recovery options.

  1. Entry begins with phishing, loader malware, purchased access, or exploitation of edge devices that expose internal authentication paths.
  2. Escalation follows when attackers harvest credentials, abuse RDP, SMB, WMI, or remote tools, and use those trusted paths to expand from one host to many.
  3. Impact occurs when attackers reach domain controllers, backup infrastructure, or virtualisation management planes and deploy ransomware at scale.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Lateral movement is the control failure that decides whether ransomware is a nuisance or a shutdown event. Black Basta, Akira, and LockBit all depend on internal reach after initial access because enterprise trust models still assume that authenticated traffic inside the network is lower risk than external traffic. That assumption no longer holds in flat or weakly segmented environments. Practitioners should treat east-west containment as a primary security objective, not a secondary detection problem.

Identity-based microsegmentation is now the practical boundary for ransomware containment. Perimeter defences do not stop an attacker who already holds valid internal credentials and can use approved protocols. When access is tied to identity, asset tier, and explicit destination policy, the compromised account cannot automatically inherit movement rights across the estate. The implication is straightforward: segmentation design has to be driven by identity pathways, not by subnet convenience.

Standing administrative privilege creates the exact mobility ransomware groups need. RDP, SMB, WMI, PsExec, and remote support tools become dangerous when they are broadly reachable and permanently available to powerful accounts. JIT elevation and strict management-network scoping reduce that mobility because the attacker cannot easily convert one compromise into repeated privileged reuse. Practitioners should view privilege lifetime as part of blast-radius control.

Blast-radius control is the right named concept for this threat pattern. The article is really about how quickly one compromise can become enterprise-wide if domain controllers, backup infrastructure, and virtualisation platforms are reachable from user segments. That is a governance problem as much as a technical one, because it exposes where access policy, infrastructure design, and recovery planning are misaligned. Security teams should measure how far a compromised identity can travel before containment fails.

Operational continuity is now an identity governance outcome. In manufacturing, healthcare, and industrial environments, lateral movement does not just threaten data confidentiality. It threatens patient care, production uptime, and recovery capability, which means IAM, PAM, and segmentation teams must work from a shared containment model. The practical conclusion is that identity design has to protect business continuity, not just authentication.

From our research:

What this signals

Blast-radius thinking has to become a standing operating model. The practical lesson for identity and security leaders is that containment controls must be mapped to the paths an attacker can actually traverse, not to the org chart or network diagram alone. If backups, hypervisors, and domain controllers sit on reachable trust paths, ransomware operators will keep using them.

With 23.7% of organisations still sharing secrets through insecure methods such as email or messaging applications, the governance gap is not abstract. It shows up as credentials that can be reused in exactly the kind of lateral movement chains this article describes, which is why identity hygiene and segmentation have to be designed together.

The most useful programme shift is to measure reachable privilege, not just assigned privilege. If a compromised account can cross segments, reach management planes, or invoke remote tooling without an explicit control boundary, the environment is already over-exposed, even if the access review looks clean on paper.


For practitioners

  • Map east-west privilege pathways Identify which identities can reach domain controllers, backup systems, virtualization management, and OT or IoMT segments, then remove unnecessary pathways and document the approved administrative routes.
  • Restrict administrative protocols to jump hosts Allow RDP, SMB, WMI, PsExec, and remote management tools only from controlled administration networks, and alert on any use outside those pathways.
  • Convert standing admin rights to JIT elevation Replace persistent privileged accounts with time-bound elevation, phishing-resistant MFA, and approval logging for high-risk actions so stolen credentials have less utility during an active intrusion.
  • Segment recovery and management assets from user networks Isolate backup infrastructure, hypervisor management planes, and recovery tooling so a compromised workstation cannot directly reach the systems that restore or expand ransomware impact.
  • Exercise containment before you need it Run tabletop and technical simulations that test whether the team can block lateral movement before domain-wide spread, especially in environments with 3,000 or more connected devices.

Key takeaways

  • Ransomware becomes enterprise-wide when lateral movement is easy, not when the first endpoint is breached.
  • The evidence points to one recurring failure pattern: trusted internal paths still let stolen credentials reach critical systems.
  • Identity-based segmentation, JIT privilege, and restricted administrative pathways are the controls that change the outcome.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , ImpactThe article tracks credential abuse, pivoting, and ransomware impact.
NIST CSF 2.0PR.AC-4Access control and segmentation are central to limiting east-west spread.
NIST SP 800-53 Rev 5AC-6Least privilege governs who can reach high-value systems after compromise.
CIS Controls v8CIS-5 , Account ManagementAccount management is central to stopping credential reuse and privilege spread.

Use PR.AC-4 to enforce least-privilege pathways between user, management, and recovery zones.


Key terms

  • Lateral Movement: Lateral movement is the phase where an attacker pivots from one compromised internal system to others using trusted credentials, remote administration tools, or legitimate protocols. In ransomware scenarios, it is the step that turns a local compromise into broad operational disruption by exposing more assets to encryption and control loss.
  • Identity-based Microsegmentation: Identity-based microsegmentation is a policy approach that allows access based on the identity of the user, workload, or device rather than only on network location. It is used to restrict east-west traffic so a compromised session cannot automatically reach domain controllers, backups, or management planes.
  • Just-in-Time Privilege: Just-in-time privilege is a method of granting elevated access only when it is needed and only for a limited time. For ransomware defence, it reduces the value of stolen credentials by preventing persistent administrative rights from becoming a reusable launch point for lateral movement.

What's in the full article

Elisity's full analysis covers the operational detail this post intentionally leaves for the source:

  • Protocol-by-protocol guidance for controlling RDP, SMB, WMI, PsExec, and remote access tools across administrative pathways
  • A 90-day implementation roadmap for segmentation, privileged access, and detection across large device estates
  • Sector-specific containment considerations for healthcare, manufacturing, and industrial environments
  • Practical examples of how identity-based microsegmentation maps to ransomware blast-radius reduction

👉 The full Elisity post covers Black Basta, Akira, and LockBit kill-chain detail plus containment guidance

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org