By NHI Mgmt Group Editorial TeamPublished 2025-07-02Domain: Governance & RiskSource: Imprivata

TL;DR: Ransomware continues to drive large-scale financial, operational, and legal damage, with the article citing more than $40 billion in projected losses for US businesses in 2024, a median ransom jump from $200,000 to $1.5 million, and major incidents at Change Healthcare, British Library, and MGM Resorts. The real security issue is that one compromised identity can still create broad lateral movement and delayed recovery, making access governance a core ransomware control.

At a glance

What this is: This analysis argues that ransomware impact is now being amplified by identity and access weaknesses, especially where compromised credentials enable lateral movement and prolonged disruption.

Why it matters: It matters because IAM, PAM, and NHI governance teams are increasingly part of ransomware resilience, not just incident response, and weak identity controls can turn an intrusion into enterprise-wide shutdown.

By the numbers:

👉 Read Imprivata's article on ransomware risk and access control

Context

Ransomware is no longer just a malware problem. It is a governance problem that starts when attackers gain access, then expands when identity controls fail to constrain where that access can go. In that sense, ransomware resilience depends as much on IAM, PAM, and privileged session control as it does on backups and endpoint detection.

The article’s central claim is that modern ransomware, especially when delivered through RaaS operations, exploits weak access discipline as much as technical vulnerability. Once a single account, session, or vendor pathway is compromised, the attacker can move laterally, escalate impact, and extend recovery time across business-critical systems.

Key questions

Q: How should security teams reduce ransomware impact through identity controls?

A: Security teams should reduce the number of identities that can reach critical systems, then separate privileged tasks from routine access. MFA, least privilege, PAM, and strong vendor session controls matter because ransomware often spreads after the first account is compromised. The goal is to stop one credential from becoming a broad operational outage.

Q: Why do privileged accounts make ransomware incidents harder to contain?

A: Privileged accounts make containment harder because they can reach many systems at once, including backups, servers, and administrative tools. When those accounts are persistent or shared, attackers can move laterally without needing to exploit each new target. That turns a local compromise into a business-wide disruption much faster.

Q: What do organisations get wrong about ransomware recovery?

A: Many organisations treat recovery as a storage or backup problem and underweight identity control. In practice, an attacker who still has active access can relock systems, delete backups, or trigger more encryption before restoration finishes. Recovery is only reliable when identity pathways are narrowed first.

Q: Who is accountable when ransomware spreads through third-party access?

A: Accountability sits with the organisation that granted the access and failed to govern its scope, lifecycle, and monitoring. Third-party identities should be reviewed like any other high-risk access path, with explicit ownership, revocation rules, and session visibility. Without that, vendor access becomes an unmanaged attack surface.

Technical breakdown

How ransomware turns one credential into enterprise-wide disruption

Modern ransomware campaigns often begin with one compromised account, reused password, phishing success, or exposed remote-access path. From there, the attacker searches for reachable systems, cached credentials, and privileged pathways that let them expand beyond the first foothold. The article highlights the practical reality that compromise is rarely the endpoint. Identity becomes the bridge from intrusion to business interruption because access rights determine which systems can be touched, encrypted, or disabled once inside.

Practical implication: teams should treat initial access as a containment race, not a malware-only event, and constrain reachable systems immediately.

Why lateral movement is the real escalation path in ransomware

Lateral movement is the stage where ransomware operators convert ordinary access into broad impact. If privileged accounts, shared credentials, or over-permissioned service paths exist, attackers can traverse files, backups, and admin tools without needing fresh exploitation. The article’s examples show that organisations fail most visibly when identity boundaries are too wide or too durable. In those conditions, one compromised identity can behave like a master key for multiple business domains.

Practical implication: reduce standing privilege and isolate admin pathways so one compromised identity cannot traverse core systems.

Why access control now sits alongside recovery in ransomware planning

Recovery used to be framed as restoration after encryption. The article shows that in practice, the organisation is already paying before recovery begins through downtime, manual workarounds, regulatory exposure, and reputational damage. That shifts the design problem upstream. Controls such as MFA, least privilege, privileged access management, and vendor session oversight are not supplementary to ransomware defence. They shape whether an incident becomes a short interruption or a prolonged enterprise event.

Practical implication: include IAM and PAM controls in ransomware tabletop exercises, not just backup and restore workflows.

Threat narrative

Attacker objective: The attacker’s objective is to maximise operational pressure by encrypting systems, stealing data for double extortion, and forcing payment or prolonged disruption.

  1. Entry occurs when attackers gain initial access through compromised credentials, phishing, exposed systems, or a third-party pathway.
  2. Escalation follows when the attacker uses privileged accounts or lateral movement paths to reach more systems, data, and backup assets.
  3. Impact occurs when data is encrypted, services are disrupted, and the organisation is forced into downtime, manual operations, or ransom negotiation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity control failure is the ransomware multiplier, not the background condition. The article makes clear that one compromised identity can open the door to lateral movement, service disruption, and double extortion. That means ransomware resilience depends on whether identity boundaries are narrow enough to contain a breach once the first account is lost. Practitioners should read ransomware as an identity containment problem, not only a malware response problem.

Standing privilege creates the attacker’s shortest path to impact. The article’s own guidance on PAM is directionally correct because ransomware operators do not need every privilege, only the ones that unlock movement and encryption at scale. Shared admin credentials, persistent vendor access, and excessive rights turn a single intrusion into a multi-system event. The implication is that privilege scope, not just detection speed, is what determines blast radius.

Vendor access without session discipline is a live ransomware exposure surface. Third-party access is especially dangerous when it is broad, persistent, or poorly monitored, because attackers often look for the easiest path through trusted relationships. This is where NHI governance and PAM converge: credentials, service access, and external sessions must be governed as attack paths, not as administrative conveniences. Practitioners should treat third-party access as part of the ransomware kill chain, not as a side control domain.

Ransomware has become an identity governance test for the whole programme. The article spans human behaviour, machine access, and privileged workflows, which is exactly why IAM teams can no longer sit at the edge of ransomware planning. MFA, passwordless access, least privilege, and privileged session controls are not separate chapters. They are the governance fabric that determines whether recovery starts after a containment event or after a full operational shutdown.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
  • For a deeper breach lens, see The 52 NHI breaches Report for real-world cases where identity and secret exposure accelerated impact.

What this signals

Identity-heavy ransomware defence is becoming the baseline, not the mature state. As attackers continue to exploit lateral movement and standing privilege, programme owners should expect ransomware reviews to shift from backup readiness toward access containment, vendor session governance, and privileged identity isolation. The operational question is no longer whether identity matters, but whether it is governed as part of resilience planning.

Blast-radius reduction is the most practical ransomware metric for identity teams. If a single compromised account can still reach finance, clinical, or production systems, the programme has not contained its own exposure. Teams should use privileged path mapping, account segregation, and session revocation as the measures that indicate whether controls are actually shrinking the attack surface.

Ransomware control is converging with secrets and workload governance. Leaked credentials, over-permissioned service accounts, and unmanaged third-party access all expand the number of ways attackers can move after entry. For that reason, the identity programme should watch for secrets lifecycle gaps and credential sprawl, then align them with recovery design before the next incident.

For practitioners

  • Tighten privileged account boundaries Reduce standing administrative access, separate high-risk functions, and ensure ransomware cannot reuse one privileged account across multiple business domains.
  • Harden third-party access paths Review vendor and contractor sessions for obfuscation, MFA, and live monitoring, and remove always-on access wherever business terms allow.
  • Map ransomware blast radius to identity ownership Identify which accounts can reach backups, finance systems, clinical systems, or production tools, then reduce those paths before the next incident.
  • Build identity controls into recovery exercises Test how MFA failures, privileged session revocation, and access lockdowns affect containment before the restore phase begins.

Key takeaways

  • Ransomware is now an identity governance problem because one compromised account can unlock lateral movement, encryption, and prolonged downtime.
  • The article’s evidence shows that ransomware damage is measured in both money and operational disruption, with losses that can reach nine figures for major organisations.
  • Reducing standing privilege, tightening vendor access, and testing identity containment inside recovery plans are the controls most likely to limit blast radius.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Ransomware risk rises when secrets and credentials remain usable too long.
NIST CSF 2.0PR.AC-4Least privilege directly limits how far an intruder can move after entry.
NIST Zero Trust (SP 800-207)AC-4Zero trust segmentation reduces the ability to traverse systems after compromise.

Audit credential lifecycle controls and rotate or revoke secrets before they become reusable attack paths.

Key terms

  • Ransomware-as-a-Service: A criminal delivery model where ransomware operators rent tooling, infrastructure, or access to affiliates. This lowers the skill threshold for launching sophisticated attacks and increases campaign volume. In identity terms, it makes every exposed credential or privileged path more valuable because more actors can operationalise it quickly.
  • Lateral Movement: The process of moving from one system or account to another after initial access. Attackers use it to find higher-value assets, privileged access, or backup systems. Effective identity governance limits this stage by narrowing privileges, separating trust zones, and reducing credential reuse.
  • Privileged Access Management: A control discipline for administering and monitoring high-risk access such as administrator accounts, vendor sessions, and emergency credentials. It reduces standing privilege and improves visibility into who can perform sensitive actions. For ransomware defence, PAM helps stop one compromise from becoming broad system control.
  • Double Extortion: A ransomware tactic where attackers both encrypt systems and threaten to publish stolen data if payment is refused. This increases pressure because recovery alone is no longer enough to remove leverage. The identity angle is that exposed accounts can lead to both disruption and data theft.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: ransomware risk, business disruption, and access control. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org