TL;DR: Average ransomware payments have increased by 450% since 2019, and Chainalysis says attacks in 2021 were still on pace to extort hundreds of millions of dollars while threat actors diversified infrastructure and targeting. The governance problem is no longer only intrusion prevention, but containment, payment decisioning, and identity-driven recovery controls.
At a glance
What this is: This is Chainalysis’s mid-year ransomware update, and its key finding is that ransomware payments and attack volume kept rising sharply through 2021.
Why it matters: It matters to IAM and PAM teams because ransomware recovery increasingly depends on privileged access containment, credential hygiene, and the speed at which identities can be isolated after compromise.
By the numbers:
- Average ransomware payments have increased by 450% since 2019.
- Ransomware attacks have yet to be curbed in 2021, with cybercriminals on pace to extort hundreds of millions of dollars from organisations.
- Ransomware was the biggest cybercrime story of 2020, with victim payments more than quadrupling over the previous year’s totals.
👉 Read Chainalysis’s mid-year ransomware report for 2021 activity and trend analysis
Context
Ransomware is a business model built around access, privilege, and pressure. The article’s core message is that payment volumes were rising faster than many organisations’ ability to prevent intrusions, contain lateral movement, and recover cleanly from identity compromise.
For IAM, PAM, and NHI programmes, the issue is not just malware on endpoints. Ransomware operators routinely exploit stolen credentials, over-permissioned service accounts, and delayed revocation to move from initial access to business disruption, which makes this a governance problem as much as a malware problem.
Key questions
Q: What breaks when ransomware actors can use legitimate privileged accounts?
A: When attackers can operate through legitimate privileged accounts, detection gets harder and containment slows down. Logs may look like normal administration, backups may be reachable, and the attacker can move laterally without noisy malware artefacts. The practical failure is not encryption alone, but the organisation’s inability to distinguish recovery access from attacker-controlled access.
Q: Why do privileged identities make ransomware incidents harder to contain?
A: Privileged identities expand what an attacker can reach after the first foothold. If service accounts, remote admin sessions, or support accounts are over-permissioned, the adversary can disable controls, reach backups, and increase pressure before defenders regain control. Containment depends on how quickly those identities can be isolated and rotated.
Q: What do security teams get wrong about ransomware recovery?
A: Many teams assume recovery is mainly a backup problem. In practice, recovery fails when the same identities used for daily operations also protect backup consoles, cloud admin tools, and support channels. If those credentials are compromised, restoring systems can become part of the attacker’s leverage rather than the defence.
Q: Who is accountable when ransomware payment decisions are made?
A: Accountability should sit with a defined incident governance process that includes security, legal, executive leadership, and operational owners. The decision is not only financial. It also reflects whether identity controls, backup isolation, and recovery readiness were sufficient to avoid reaching a negotiation stage in the first place.
Technical breakdown
How ransomware monetisation changes attacker behaviour
Ransomware groups optimise for conversion, not just encryption. Once they obtain access, they often spend time on discovery, credential harvesting, and privilege escalation so they can maximize the blast radius before triggering payloads or negotiation pressure. That is why payment trends often track with identity weakness, not only patching gaps. The article also points to third-party ransomware infrastructure and nation-state-aligned actors, which means the ecosystem is becoming more specialised and harder to disrupt with a single defensive control.
Practical implication: pair endpoint controls with credential monitoring and privilege containment so an initial foothold cannot become enterprise-wide leverage.
Third-party infrastructure and the ransomware supply chain
Ransomware is increasingly enabled by an ecosystem of brokers, infrastructure providers, affiliates, and negotiators. This modular model lowers the barrier to entry for less skilled operators and spreads operational risk across multiple participants. In practice, that means a single intrusion can be scaled through shared tooling, repeated playbooks, and reused access paths. For defenders, the relevant question becomes where identity and access controls can sever that reuse, especially across remote access, admin tooling, and cloud-connected recovery systems.
Practical implication: reduce shared access paths and review third-party privileged connections as if they were part of your attack surface.
Why identity controls shape ransomware recovery
Ransomware recovery depends on whether organisations can quickly distinguish normal administrative access from attacker-controlled privilege. If service accounts, break-glass credentials, or remote admin sessions remain active after compromise, the attacker can preserve persistence even when malware is removed. This is where identity governance intersects with resilience: the speed of revocation, reset, and reauthorisation directly affects downtime and negotiation pressure. A strong backup strategy still fails if attackers can reach it through the same credentials used for day-to-day operations.
Practical implication: pre-stage privilege revocation and recovery access paths so restoration does not rely on the same identities that may already be compromised.
Threat narrative
Attacker objective: The attacker aims to extract payment by denying access, threatening data exposure, and forcing the organisation into a costly recovery decision.
- Entry often begins with stolen credentials, phishing, or exposed remote access that gives the attacker a foothold inside the environment.
- Escalation follows through discovery, privilege abuse, and credential harvesting so the actor can reach backups, admin tools, or multiple business systems.
- Impact comes from encryption, exfiltration, and extortion pressure designed to force payment and disrupt restoration.
- The attacker objective is to convert stolen or abused access into operational paralysis and ransom leverage.
NHI Mgmt Group analysis
Ransomware is now an identity governance problem, not just a malware problem. The article’s numbers point to a threat economy that rewards stolen credentials, excessive privilege, and slow recovery. Once attackers can operate as legitimate users or admins, traditional perimeter assumptions collapse and the cost of delay rises quickly. Practitioners should treat privileged identity control as part of ransomware resilience, not a separate IAM programme.
Payment growth reflects control failure windows, not only attack sophistication. The 450% increase in average payments since 2019 suggests more organisations are reaching a negotiation stage that should have been prevented or shortened. That exposes gaps in detection, revocation, and recovery readiness. The practical conclusion is that containment speed matters as much as initial prevention.
Third-party ransomware infrastructure creates reuse risk across the access lifecycle. When criminals operate through shared services and affiliates, defenders face repeated patterns of credential reuse, remote access abuse, and recovery system targeting. That makes identity lifecycle management across vendors, contractors, and admin pathways a core resilience issue. Teams should assume that every standing admin relationship can become an extortion path.
Privilege boundaries determine whether ransomware becomes a contained incident or a business event. Service accounts, backup operators, and recovery consoles often sit outside routine review cycles, yet they are exactly what attackers target after entry. In identity terms, the failure mode is persistent privilege with weak segregation between production and recovery. Organisations should design recovery so it is usable under pressure without being reachable through the same access paths attackers compromise.
Extortion economics are shaping the ransomware market faster than defensive maturity is changing it. The article signals a mature criminal ecosystem that adapts to new controls by changing infrastructure, targeting, and negotiation tactics. That means governance must be continuous, especially around privileged access, backup isolation, and offboarding. Practitioners should expect attackers to keep exploiting organisational seams rather than technical novelty.
What this signals
Ransomware programmes increasingly succeed where identity governance is weakest, so resilience planning now has to include privileged access reduction, backup isolation, and fast revocation. The organisations that treat these as recovery controls rather than IAM hygiene will contain incidents faster.
Credential exposure window: the time between compromise and effective revocation is becoming the operational metric that matters. If attackers can keep using legitimate access longer than defenders can invalidate it, the recovery conversation has already shifted in the attacker’s favour.
The practical signal for teams is whether recovery workflows still depend on the same privileged accounts that production uses. If they do, ransomware can turn your restoration path into another access path, which is exactly the governance failure attackers exploit.
For practitioners
- Audit privileged access paths used for recovery Map every admin, backup, and remote support account that can restore systems or disable protections. Remove unnecessary standing access and separate recovery credentials from daily administration paths.
- Shorten credential exposure windows Rotate high-risk secrets, API keys, and administrative credentials on a fixed schedule and after any suspicious access event. Prioritise accounts that can reach backup systems or identity infrastructure.
- Isolate backup and restoration identities Keep restoration accounts in a separate trust domain where possible, with distinct logging and approval paths. Verify that ransomware in production cannot automatically reach backup or recovery services.
- Harden remote access and third-party links Review vendor, contractor, and support channels that provide privileged access into critical systems. Require strong authentication, explicit time-bounded access, and rapid termination when work is complete.
- Test revocation during live recovery scenarios Run exercises that simulate compromised admin access and measure how quickly teams can revoke access, reset credentials, and restore services without using the same identities under suspicion.
Key takeaways
- Ransomware severity is increasingly determined by identity exposure, privilege depth, and revocation speed rather than malware alone.
- The article’s 450% payment growth figure shows that too many organisations still reach the extortion stage with usable attacker access intact.
- The control most likely to reduce impact is not just better backup, but isolated recovery identity, tighter privilege boundaries, and faster credential invalidation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article describes credential-driven ransomware progression and extortion impact. |
| NIST CSF 2.0 | PR.AC-1 | Identity and access control are central to preventing ransomware spread. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege directly reduces the blast radius of compromised accounts. |
| CIS Controls v8 | CIS-5 , Account Management | Account management is a direct control area for compromised admin and support identities. |
| NIST AI RMF | MANAGE | Ransomware response depends on managing operational risk and recovery dependencies. |
Map ransomware detections to credential access, lateral movement, and impact stages to close the most common abuse paths.
Key terms
- Ransomware: Ransomware is malicious software or an extortion campaign that denies access to systems or data and demands payment for restoration or non-disclosure. Modern operations often combine encryption with theft, credential abuse, and business pressure, making the incident as much about governance and recovery as technical containment.
- Privileged Access: Privileged access is elevated permission that allows a user, service, or system to administer, configure, or bypass normal controls. In ransomware scenarios, it is the shortest path from a foothold to encryption, backup compromise, or broader operational disruption, so it must be tightly scoped and continuously reviewed.
- Recovery Identity: A recovery identity is an account, service principal, or operational credential used to restore systems, re-enable services, or administer recovery tooling. It should be treated as high-risk because attackers often target it after initial access, and if it shares trust with production identities, restoration can become part of the attack path.
What's in the full report
Chainalysis's full report covers the operational detail this post intentionally leaves for the source:
- Original 2021 ransomware activity data with trend breakdowns that help security teams benchmark the scale of the problem.
- Discussion of third-party ransomware infrastructure providers and how the ecosystem is evolving operationally.
- Analysis of attacks from nation-state-aligned threat actors and what that means for response planning.
- Recommendations for attacking the ransomware problem head-on, beyond the strategic framing covered here.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It helps practitioners connect identity controls to the resilience requirements that incident recovery depends on.
Published by the NHIMG editorial team on 2026-05-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org