Ransomware now targets identity, trust, and business continuity

At a glance

What this is: This is a ransomware analysis showing that modern attacks now combine encryption, data theft, privilege escalation, and operational pressure.

Why it matters: It matters because IAM, NHI, and PAM teams now have to defend the identity layer and recovery posture as part of ransomware resilience, not just access control.

👉 Read DigiCert's analysis of ransomware, identity, and business continuity

Context

Ransomware is no longer just a malware problem. It is a continuity problem that exploits identity, trust, and operational coupling across cloud, legacy, and third-party systems, which is why IAM and PAM programmes now sit inside the ransomware blast radius.

The article argues that attackers increasingly behave like intelligence teams, establishing persistence, escalating privileges, and mapping dependencies before they encrypt or extort. That shift makes resilience, certificate trust, and access governance part of the same control plane rather than separate security workstreams.

For identity teams, the practical issue is not whether ransomware will encrypt data. It is whether exposed credentials, standing privilege, and weak recovery processes let attackers turn initial access into systemic disruption. That is already the typical pattern, not the exception.

Key questions

Q: How should security teams reduce ransomware impact before encryption starts?

A: Security teams should focus on the authenticated phase, not just the payload. That means reducing standing privilege, tightening MFA coverage, watching for credential harvesting, and flagging unusual internal reconnaissance. If attackers cannot turn initial access into persistence and escalation, they lose the leverage needed to trigger high-impact encryption.

Q: Why do compliant organisations still get hit hard by ransomware?

A: Compliance sets a baseline, but ransomware operators only need one repeatable weakness to create major damage. Gaps in MFA, remote access, third-party trust, or privilege control can remain even in audited environments. The result is a system that passes review but still fails when attackers pursue operational disruption.

Q: What breaks when ransomware targets identity and trust systems?

A: Business continuity breaks first. Once attackers can abuse identities or compromise trust anchors, they can move from access into claims, payments, software updates, or certificate-driven services. That turns a security incident into an operational outage, which is why identity and PKI recovery must be part of the response plan.

Q: Who is accountable when ransomware exposes gaps in identity governance?

A: Accountability sits across security, IAM, infrastructure, and business continuity teams because the failure usually spans access, detection, and recovery. Frameworks such as the NIST Cybersecurity Framework 2.0 help assign ownership across those functions, but the organisation still needs one clear decision path for privilege, trust, and recovery.

Technical breakdown

How ransomware turns identity access into operational leverage

Modern ransomware campaigns often begin with a foothold that is not inherently destructive, such as phished credentials, compromised remote access, or a third-party account. The important change is what happens next: attackers use the access to understand the environment, harvest more credentials, and move toward privileged systems before triggering encryption. That progression makes identity visibility as important as malware detection. Once attackers can authenticate as trusted users or services, they can blend into normal operations and wait for the moment that creates maximum leverage.

Practical implication: reduce standing access and monitor authenticated activity for privilege escalation before encryption begins.

Why compliance controls do not stop ransomware

Compliance frameworks create a minimum baseline, but ransomware operators do not need you to be insecure everywhere. They need one repeatable weakness that works across a sector, such as an MFA gap, overexposed remote access, or brittle third-party trust. Regulatory alignment can coexist with fragile operations when controls are implemented to satisfy audit evidence rather than resist real attack behaviour. In practice, that means an environment can be compliant and still easy to extort.

Practical implication: test whether controls resist attacker workflows, not whether they satisfy a checklist.

Why digital trust and PKI now belong in resilience planning

The article correctly treats certificates, code signing, and software update trust as ransomware targets, not just background infrastructure. If attackers can compromise the mechanisms that establish trust, they can disrupt communications, impersonate systems, or undermine software integrity without immediately encrypting files. PKI therefore becomes part of operational resilience, especially where certificate expiry, manual rotation, or rigid cryptographic systems can cause outages during an incident. Crypto-agility matters because recovery now includes the ability to change trust infrastructure quickly.

Practical implication: include certificate lifecycle, code signing, and crypto-agility in ransomware recovery playbooks.

Threat narrative

Attacker objective: The attacker aims to maximize leverage by disrupting operations, exfiltrating data, and forcing the organisation into payment or prolonged recovery.

1. Entry typically begins through compromised credentials, phishing, or third-party access that gives attackers a legitimate foothold inside the environment.
2. Escalation follows as attackers establish persistence, harvest more credentials, and map internal dependencies so they can reach higher-value systems.
3. Impact arrives when encryption, data theft, and operational pressure are timed to business choke points, turning the incident into a continuity crisis.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Ransomware has become an identity problem as much as a malware problem. The article shows that attackers now depend on authenticated access, privilege escalation, and internal knowledge before they disrupt operations. That means the most useful control questions are no longer limited to malware prevention but to who and what can authenticate into the environment, and under what conditions. Practitioners should treat identity telemetry as ransomware telemetry.

Compliance-based security failed to contain the attack pattern described here. The article makes the same point we see repeatedly: passing an audit does not stop an attacker who only needs one stable path through identity, remote access, or third-party trust. Ransomware thrives where controls are implemented for assurance rather than operational resistance. The implication is straightforward: governance must test attack paths, not just control presence.

Digital trust is now part of ransomware blast-radius management. Certificates, code signing, and update trust are no longer background functions because attackers can weaponize them to damage resilience even without immediately encrypting files. That broadens the governance scope for IAM, PAM, and security architecture teams. Practitioners need to think of trust infrastructure as a production dependency that can fail under extortion pressure.

Operational dependency is the real multiplier in modern ransomware. The article’s healthcare example shows how one compromise can cascade across claims, pharmacies, verification systems, and service partners. That is why resilience planning has to include dependency mapping across identity systems and critical workflows, not just server recovery. If the organisation cannot trace which identities gate which processes, it cannot contain blast radius.

Certificate lifecycle discipline is a resilience control, not a housekeeping task. Manual renewal, rigid crypto dependencies, and poor update trust management create failure points that ransomware operators can exploit during crisis conditions. This is where NHI governance, PKI operations, and business continuity converge. Practitioners should treat lifecycle control over trust infrastructure as part of ransomware preparedness.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs.
• For a deeper view of lifecycle control, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that limit identity-driven blast radius.

What this signals

Operational resilience now depends on identity visibility as much as on endpoint detection. When attackers can dwell inside authenticated systems before encrypting anything, the programme gap is usually not antivirus coverage but control over who can move, what they can reach, and how quickly abuse is detected. The NIST Cybersecurity Framework 2.0 is a useful organising lens for that cross-functional response.

Blast-radius control is becoming the decisive ransomware metric. If a team cannot map which identities gate claims, certificate services, software updates, or third-party workflows, it cannot predict how far an intrusion will spread. That is why dependency mapping belongs alongside incident response planning, not after it.

The most mature programmes will treat trust infrastructure as a recoverable asset, not a static backend service. That means rehearsing certificate rollover, code-signing recovery, and privilege containment in the same way teams already rehearse data restoration.

For practitioners

• Harden privileged access paths Remove avoidable standing privilege from remote access, admin accounts, and service identities that could be abused once attackers gain a foothold. Prioritise MFA coverage for every externally reachable identity path and monitor for privilege escalation after initial authentication.
• Map operational dependencies by identity Identify which human, NHI, and service identities gate claims, payments, pharmacy, certificate, and software update workflows. Use that map to rank recovery priorities so the highest-risk dependencies are visible before an incident becomes a business interruption.
• Include certificate and code-signing recovery in ransomware plans Test certificate renewal, code-signing trust, and crypto-agility procedures under incident conditions so a ransomware event does not become a trust outage. Recovery playbooks should show how to rotate, reissue, and validate trust anchors without waiting for manual escalation.
• Instrument for pre-encryption behaviour Build detection rules for persistence, credential harvesting, and internal reconnaissance rather than waiting for encryption alerts. The most valuable warning often appears in the authenticated phase, when attackers are still moving quietly and the damage is not yet visible.

Key takeaways

• Modern ransomware is a continuity threat that uses identity abuse, privilege escalation, and trust compromise to create maximum business pressure.
• The article’s evidence shows that a single breach can trigger multi-billion-dollar losses, supply-chain disruption, and delayed care at national scale.
• Teams reduce impact by controlling privileged access, instrumenting pre-encryption behaviour, and including PKI recovery in ransomware response plans.

Key terms

• Ransomware resilience: The ability to keep critical operations running while an extortion campaign is active or recover quickly after impact. It combines detection, containment, identity control, recovery planning, and trust infrastructure readiness so the business can absorb disruption without losing continuity.
• Digital trust: The mechanisms that let systems and users verify that software, communications, and machine-to-machine interactions are authentic. In practice, this includes certificates, code signing, and related PKI controls that ransomware can target to undermine confidence in operations.
• Blast radius: The amount of damage an attacker can cause after gaining access. In ransomware cases, blast radius is shaped by privilege, trust dependencies, recovery readiness, and how tightly business-critical systems are connected to shared identity and certificate infrastructure.
• Crypto-agility: The ability to change cryptographic methods, certificates, or trust anchors quickly without breaking production services. This matters in ransomware recovery because rigid cryptographic systems can become an outage source when organisations need to reissue, rotate, or modernise trust under pressure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: Ransomware: From Rising Threat to Business Crisis. Read the original.