TL;DR: Ransomware groups are using lateral movement to turn single footholds into enterprise-wide disruption, with 4,848 publicly posted victims in 2024 and a reported $22 million demand in one pharmaceutical case, according to Elisity and the GRIT Ransomware Report. The control problem is no longer detection alone; it is constraining east-west trust before attackers can traverse the environment.
At a glance
What this is: This is an analysis of how ransomware operators are using lateral movement to expand from one compromised system into broad network-wide encryption and operational disruption.
Why it matters: It matters because IAM, PAM, and segmentation decisions determine whether a single credential or endpoint becomes a contained event or a full enterprise outage.
By the numbers:
- over 4,848 publicly posted victims in 2024 alone
- a ransom demand of $22 million
- 25% of successful ransomware incidents in 2025 involved lateral movement across networks
- breaches involving lateral movement cost organizations an average of $4.88 million globally
👉 Read Elisity's analysis of ransomware lateral movement and critical infrastructure risk
Context
Ransomware has moved beyond endpoint encryption into east-west spread across enterprise environments. The primary security problem is not just initial compromise, but the ability of attackers to reuse trust, move laterally, and reach research, production, and backup systems before defenders can contain them.
That shift matters directly to identity programmes because lateral movement often depends on stolen credentials, remote access tools, and over-broad administrative trust. For IAM and PAM teams, the question is whether identity boundaries actually limit propagation once an attacker gets inside.
In critical infrastructure, the starting position described in the article is not unusual. It reflects a common failure mode where segmentation exists on paper, but identity-linked access still allows uncontrolled traversal across high-value systems.
Key questions
Q: What fails when ransomware can move laterally across a network?
A: What fails first is the assumption that one compromised system can be isolated before the attack spreads. If identity, remote access, and internal trust are too broad, ransomware operators can reuse legitimate paths to reach backups, production systems, and sensitive data. Containment depends on limiting east-west reach, not just detecting the first alert.
Q: Why do stolen credentials make ransomware outbreaks harder to contain?
A: Stolen credentials matter because they turn the attacker into a valid user, which often bypasses basic trust checks. If those credentials belong to privileged users or support staff, the operator can enumerate systems, request access, and move through approved channels. That is why identity lifecycle, MFA resistance, and privilege scoping are central to containment.
Q: How do organisations know if lateral movement controls are actually working?
A: They work when a compromised endpoint cannot reach other critical systems by default. Measure this by reviewing allowed east-west paths, testing whether backups and OT networks are isolated, and simulating attacker movement from a single workstation. If one foothold can still reach many assets, the control is not effective enough.
Q: Who is accountable when ransomware spreads through trusted internal access?
A: Accountability usually spans IAM, PAM, network security, and operational owners because the failure is cross-domain. If remote access is over-permissive, privileged paths are not lifecycle-managed, or segmentation is incomplete, the organisation has governance gaps, not just a malware problem. Frameworks such as NIST SP 800-53 and MITRE ATT&CK help assign those control responsibilities.
Technical breakdown
How ransomware uses lateral movement after initial access
Modern ransomware campaigns rarely stop at the first host. After entry, operators enumerate the network, identify reachable systems, and use legitimate administration paths such as remote desktop, PowerShell remoting, or WMI to move east-west without immediately triggering obvious alarms. This is a trust problem as much as a malware problem: if one account, endpoint, or remote tool can reach too much, the attacker inherits that reach. In identity-heavy environments, the same pattern applies to service accounts and privileged sessions that were not designed for compartmentalised use.
Practical implication: narrow administrative reach so a single compromised identity cannot traverse the environment.
Why remote access tools and stolen credentials accelerate spread
Ransomware crews increasingly combine social engineering with legitimate tools because they blend into normal operations. Help desk resets, purchased credentials, and approved remote support software can all create a believable path from access to control. Once inside, attackers do not need exotic exploits if authentication and authorisation are too permissive. The governance gap is often lifecycle failure, where credentials, support tools, and privileged paths remain usable after their legitimate purpose has ended. That creates a standing trust surface that attackers can exploit quickly.
Practical implication: treat remote support and privileged access as lifecycle-managed identities, not permanent convenience channels.
How microsegmentation changes the ransomware blast radius
Microsegmentation limits which systems can talk to each other, ideally using identity- or workload-based policy rather than broad network zones. That matters because ransomware operators rely on implicit east-west trust to jump from workstation to server, from file share to backup, and from IT into OT. When policy is tied to the workload and the identity of the session, a compromised node has fewer reachable targets. In practice, this shifts containment from post-compromise clean-up to structural prevention. For critical infrastructure, that is the difference between a local incident and a production shutdown.
Practical implication: map east-west paths to explicit policy and block unnecessary reach between crown jewel systems.
Threat narrative
Attacker objective: The attacker wants to maximise operational disruption by turning one foothold into enterprise-wide encryption, backup destruction, and ransom leverage.
- Entry begins with credential theft, social engineering, or exposed remote access, giving the operator a foothold on one internal system.
- Escalation follows when the attacker abuses legitimate tools and over-permissive trust to enumerate systems, harvest additional credentials, and reach adjacent assets.
- Impact occurs when the attacker spreads encryption or destructive actions across production, research, and backup environments, forcing downtime and ransom pressure.
NHI Mgmt Group analysis
Lateral movement is now the control failure that matters most in ransomware defence. The article’s core point is that a single foothold is no longer the event. The event is the attacker’s ability to traverse trusted paths faster than defenders can detect and isolate them. That shifts the governance question from perimeter breach to east-west containment, which sits squarely at the intersection of IAM, PAM, and segmentation. Practitioners should judge their programme by how much compromise can spread, not by how quickly one host can be rebuilt.
Standing trust surfaces create the conditions ransomware groups need. Remote support tools, long-lived credentials, and over-broad administrative rights all make lateral movement easier once access is obtained. This is not just a detection issue. It is a lifecycle and authorisation issue where access remains usable beyond the operational moment it was intended for. For identity teams, the practical conclusion is that every persistent trust edge should be treated as a potential propagation path.
Microsegmentation becomes an identity control when it is tied to workload reach. The article correctly frames segmentation as more than network hygiene. If policy is not bound to identity, session, and workload context, attackers can still reuse allowed paths after compromise. That means the security value comes from reducing who or what can reach critical systems, not from drawing more network boxes. Practitioners should align segmentation with privileged access design, especially in environments where OT, research, and backup systems coexist.
Critical infrastructure ransomware exposes a blast-radius governance gap. Manufacturing, healthcare, and pharmaceutical environments cannot absorb broad outage windows, yet they often still rely on access patterns that presume compromise will remain local. The article shows why that assumption fails. Once lateral movement is available, downtime becomes a governance outcome, not just a malware outcome. Teams should re-evaluate whether recovery plans are compensating for weak propagation controls rather than preventing spread in the first place.
What this signals
Lateral movement should be treated as an identity governance problem, not only a network defence problem. The practical signal for security leaders is that segmentation, remote access, and privileged identity controls now have to be evaluated together. Where these controls are managed separately, ransomware operators can still chain them into a path that bypasses local containment. Teams should align incident playbooks with identity boundaries, not just network zones.
The article also reinforces a broader governance pattern: critical infrastructure environments fail when access is designed for convenience and only later judged against resilience requirements. That creates a blast-radius governance gap, where the organisation measures access success but not spread limitation. Practitioners should expect ransomware resilience reviews to focus more heavily on east-west policy coverage and privileged path reduction.
For identity-led programmes, the next step is to tie privileged access reviews to reachable asset maps and to validate that backups, production, and support channels are not all reachable from the same trust domain. The more those domains overlap, the more likely ransomware can turn one valid login into a full outage.
For practitioners
- Inventory east-west trust paths Map which users, service accounts, support tools, and workloads can reach crown jewel systems, then remove non-essential paths before ransomware operators can reuse them. Prioritise paths into backups, research systems, and production control networks.
- Segment by identity and workload, not just subnet Use policy that restricts communication based on session identity and workload role so a compromised host cannot laterally reach unrelated systems. This is especially important where IT and OT, or office networks and production networks, share infrastructure.
- Harden privileged remote access Treat remote support platforms, admin shells, and help desk reset paths as high-risk access channels. Require step-up authentication, short-lived access, and explicit approval for sensitive actions, and remove dormant or over-broad support entitlements.
- Test containment before the incident test arrives Run exercises that assume one endpoint is already compromised and measure how far the attacker can move in 15, 30, and 60 minutes. Use the results to close the most damaging lateral movement paths first.
Key takeaways
- Ransomware risk in 2025 is defined less by initial compromise than by how far attackers can move once they are inside.
- The scale is material, with thousands of publicly reported victims and multimillion-dollar losses showing that lateral movement drives both disruption and cost.
- Identity scoping, privileged access control, and workload segmentation are the controls that determine whether an intrusion stays local or becomes an enterprise outage.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article centres on credential abuse, lateral spread, and destructive ransomware impact. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access scoping are central to limiting ransomware spread. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow enforcement directly supports microsegmentation and containment. |
| CIS Controls v8 | CIS-12 , Network Infrastructure Management | Network segmentation and infrastructure control are core to ransomware containment. |
| ISO/IEC 27001:2022 | A.8.22 | Segregation of networks is directly relevant to limiting ransomware lateral movement. |
Map ransomware playbooks to these tactics and prioritise controls that block credential reuse and east-west traversal.
Key terms
- Lateral Movement: The phase of an intrusion where an attacker moves from one compromised system to another inside the environment. It usually relies on legitimate authentication paths, remote administration tools, and over-broad trust relationships rather than noisy exploit chains.
- Microsegmentation: A network control approach that limits which systems can communicate with each other at a very granular level. In security practice, it reduces blast radius by enforcing communication policy based on identity, workload, or application need rather than broad network location.
- Blast Radius: The amount of damage an attacker can cause after gaining initial access. In ransomware scenarios, blast radius is measured by how many systems, data stores, and operational environments the attacker can reach before containment takes effect.
- Standing Privilege: Persistent access that remains available even when it is not actively needed. Standing privilege creates a larger trust surface because a compromised credential or account can be reused immediately, often without extra approval or contextual checks.
What's in the full article
Elisity's full blog post covers the operational detail this post intentionally leaves for the source:
- Named examples of lateral movement paths used in recent ransomware campaigns across healthcare, manufacturing, and pharma.
- Practical segmentation patterns for isolating production control systems, research networks, and backup infrastructure.
- Implementation detail on identity-based microsegmentation and how it reduces east-west reach without a full network redesign.
- Control examples showing how to detect and contain compromised remote access tools before they spread.
Deepen your knowledge
NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. It is designed for practitioners who need stronger identity control across modern infrastructure and access programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org