By NHI Mgmt Group Editorial TeamPublished 2026-01-27Domain: Governance & RiskSource: Zero Networks

TL;DR: Ransomware attacks now cost organisations an average of $5.08 million, median dwell time is six days, and nearly half of attacks are surfaced by the adversary before defenders detect them, according to Zero Networks and cited research. The operational lesson is clear: prevention depends on containing identity misuse and lateral movement, not just improving detection.


At a glance

What this is: This is a 2026 ransomware guidance piece arguing that modern ransomware defense must focus on containment, identity-based access controls, and limiting lateral movement rather than relying on EDR alone.

Why it matters: It matters to IAM, PAM, NHI, and security architecture teams because ransomware increasingly abuses legitimate identities and privileged access paths that identity programmes are supposed to control.

By the numbers:

👉 Read Zero Networks' guide to ransomware protection in 2026


Context

Ransomware protection has become an identity and containment problem as much as a malware problem. Once attackers hold valid credentials or can abuse trusted admin paths, perimeter defenses matter less than how quickly the environment prevents that access from becoming lateral movement, privilege abuse, and business disruption.

The article argues that EDR-heavy approaches are insufficient because attackers increasingly hide inside normal tooling, use legitimate remote access paths, and exploit long-lived privilege. For IAM and PAM teams, the practical question is not whether compromise is possible. It is whether identity controls and segmentation can stop that compromise from turning into operational leverage.


Key questions

Q: What breaks when ransomware attackers can use legitimate admin tools inside the network?

A: When attackers can use legitimate admin tools, detection becomes much harder because the activity looks like ordinary administration. That usually means remote access, file transfer, and scripting paths were not tightly scoped. Security teams should assume these tools are part of the attack surface, not just the operations stack.

Q: Why do standing privileges make ransomware much harder to contain?

A: Standing privileges let a compromised identity keep moving after the initial foothold. If access remains valid across many systems, the attacker can pivot, discover, and disrupt without needing fresh compromise. The safest posture is to make high-risk access temporary, explicit, and narrowly scoped.

Q: How do security teams know whether ransomware containment is actually working?

A: Containment is working when one compromised identity cannot reach backups, directory services, or multiple business-critical zones without additional approval. The best signal is not fewer alerts, but a smaller reachable blast radius and shorter attacker movement paths after initial access.

Q: Who is accountable when ransomware spreads through privileged internal access?

A: Accountability usually sits across IAM, PAM, network security, and platform teams because the failure spans identity scope and network trust. Organisations should assign clear ownership for privilege boundaries, segmentation policy, and credential lifecycle so one weak control does not become everyone’s blind spot.


Technical breakdown

Why living-off-the-land ransomware defeats detection-first security

Living-off-the-land, or LOTL, ransomware uses native tools such as PsExec, SSH, RDP, and WinRM to blend into expected administrative activity. That matters because the attacker is not always bringing new malware to the endpoint. Instead, they are reusing the tools already trusted inside the environment, which reduces the signal available to EDR and extends dwell time. The real technical problem is trust in normal admin behaviour. When remote management, file transfer, and scripting tools are broadly permitted, the security stack sees routine use rather than hostile movement.

Practical implication: treat administrative tooling as a controlled pathway, not a default trust zone.

How identity abuse turns valid access into ransomware leverage

Ransomware actors often begin with stolen credentials, then escalate by using those identities exactly as legitimate users would. That is why standing privilege is so dangerous. If service accounts, admin roles, or shared credentials remain valid for long periods, the attacker can move without triggering the kinds of controls built for obvious malware execution. Identity-based access controls work when access is context-bound, time-bound, and explicitly authorised. They fail when privilege is assumed to be safe simply because it is valid.

Practical implication: remove persistent privilege from the identity layer before attackers can reuse it as an internal transport mechanism.

Why segmentation and just-in-time access limit ransomware impact

Microsegmentation and just-in-time access reduce the blast radius of a ransomware event by making internal movement harder to sustain. The architecture principle is simple: critical assets should not trust east-west traffic by default, and privileged access should exist only for the duration of a defined task. This does not stop initial compromise, but it changes the economics of the attack. Instead of one stolen credential becoming environment-wide leverage, the attacker is forced into narrow, explicit pathways that are easier to contain and investigate.

Practical implication: align segmentation, JIT, and identity policy so lateral movement becomes a contained exception instead of a normal path.


Threat narrative

Attacker objective: The attacker aims to turn initial access into operational disruption, ransom leverage, and data theft while staying inside trusted administrative behaviour for as long as possible.

  1. Entry typically begins with stolen credentials, exposed services, or unpatched vulnerabilities that let the attacker use legitimate access rather than noisy malware.
  2. Escalation follows when the attacker abuses native tools and trusted identities to move laterally, enumerate systems, and extend control without standing out.
  3. Impact arrives when the operator encrypts systems, steals data, and disrupts operations to increase extortion pressure and recovery cost.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity containment is now the primary ransomware control plane: Ransomware succeeds when valid identity paths remain broad enough to support lateral movement after initial access. That makes identity policy, segmentation, and privilege scoping part of the same control surface, not separate disciplines. If identity can still reach everything, ransomware can still spread.

Standing privilege is the failure mode ransomware operators count on: The article’s examples show that attackers need only one usable credential or admin path to begin chaining access into impact. Long-lived service accounts, persistent admin roles, and permissive internal protocols give attackers the same reach as trusted operators. The implication is that privilege persistence, not just malware, is what must be constrained.

Blast radius control is the named concept that matters here: Ransomware defence is no longer about preventing every intrusion, it is about limiting how much of the environment an intrusion can touch. Microsegmentation, explicit east-west policy, and task-scoped privilege are all blast-radius controls. Practitioners should measure how far a single identity can move before containment intervenes.

Identity and network teams still treat access and traffic as separate problems, and ransomware exploits that split: The article shows attackers using both valid credentials and native network tools, which means one layer alone cannot reliably stop them. Zero Trust only works here when the trust decision is enforced at the identity, protocol, and workload layers together.

AI now amplifies the speed and adaptability of ransomware operations, but not the underlying governance gap: The article’s AI examples show acceleration in phishing, password cracking, and malware generation. The deeper issue is unchanged: organisations still assume they can review, detect, and respond before privilege becomes abuse. Practitioners need to reframe resilience around constrained trust, not faster reaction.

From our research:

  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slowly identity remediation can trail compromise, according to Ultimate Guide to NHIs.
  • For a broader breach pattern view, the The 52 NHI breaches Report shows how compromised non-human identities repeatedly create the access paths ransomware crews exploit.

What this signals

Blast-radius control: ransomware resilience is increasingly measured by how much of the environment a single credential can still reach. If service accounts, admin tools, and backup systems remain mutually reachable, the organisation has not contained the identity layer, even if detection tooling is strong.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the operational assumption behind many ransomware playbooks is already broken. Identity remediation has to move faster than attack chaining, and that means tighter lifecycle control over access paths and credentials.

The practical programme shift is toward explicit trust boundaries at the identity layer, not just better alerting. Pair Zero Trust policy with the NHI Lifecycle Management Guide and the NIST Cybersecurity Framework 2.0 so containment, privilege, and recovery ownership are all measurable.


For practitioners

  • Map the paths ransomware can already trust Inventory which service accounts, admin roles, and remote management tools can still reach critical systems without additional approval. Prioritise paths that combine standing privilege with broad east-west access.
  • Restrict native admin tooling by use case Limit PsExec, SSH, RDP, WinRM, and similar tools to approved maintenance workflows and isolate them from general user networks. If the tool is needed, make the context explicit and temporary.
  • Apply task-scoped privilege to high-risk identities Replace persistent admin access with just-in-time access and revoke it automatically after the task ends. Focus first on identities that can change system state, disable security controls, or access backup infrastructure.
  • Segment recovery-critical assets from routine administrative traffic Separate backup systems, domain controllers, and core application tiers from normal workstation-to-server pathways. A ransomware crew should not be able to pivot from a single compromised endpoint into recovery infrastructure.

Key takeaways

  • Ransomware now exploits trusted identity paths as much as malware delivery, which makes IAM and PAM core resilience controls.
  • The article’s evidence shows that native tools, standing privilege, and delayed detection combine to give attackers time to pivot and extort.
  • Organisations reduce impact when they shrink blast radius, bound admin reach, and make privileged access temporary by design.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centres on credential exposure, standing privilege, and lifecycle gaps.
NIST CSF 2.0PR.AC-4The guide focuses on limiting internal access paths and privilege scope.
NIST SP 800-53 Rev 5AC-6Least privilege is the direct control family behind the article's access containment advice.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , ImpactThe article describes credential abuse, internal pivoting, and destructive ransomware outcomes.
NIST Zero Trust (SP 800-207)The post argues for explicit trust boundaries and continuous verification inside the network.

Map ransomware containment to PR.AC-4 and verify that access is explicitly authorised by context.


Key terms

  • Living-off-the-land ransomware: Ransomware that relies on legitimate administrative tools and trusted protocols already present in the environment. It is harder to spot because the attacker behaves like an operator, not an obvious malware process. The security failure is excessive trust in normal tools and internal admin paths.
  • Blast radius: The amount of environment an attacker can affect after gaining an initial foothold. In ransomware defence, blast radius is reduced by segmentation, scoped privilege, and isolated recovery systems. The smaller the blast radius, the less opportunity the attacker has to turn compromise into business disruption.
  • Standing privilege: Persistent access that remains available beyond the immediate task or business need. For ransomware defence, standing privilege gives attackers durable internal reach if an identity is compromised. The operational problem is not just access existing, but access surviving long enough to be abused.
  • Identity containment: The practice of preventing a compromised identity from becoming environment-wide leverage. It combines least privilege, just-in-time access, segmentation, and explicit trust boundaries. In modern ransomware defence, identity containment is what stops one valid credential from becoming broad operational disruption.

What's in the full article

Zero Networks' full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step containment patterns for ransomware, including how the vendor frames identity-aligned microsegmentation.
  • Implementation detail for locking down admin and service accounts without relying on detection-first response.
  • Examples of how deterministic policy automation is positioned for dynamic environments.
  • The article’s own breakdown of ransomware trends, case studies, and product-oriented containment guidance.

👉 Zero Networks' full post covers ransomware trends, native-tool abuse, and containment tactics in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM, PAM, or identity governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org