Ransomware resilience depends on identity controls, not just backups

At a glance

What this is: This is an Imprivata analysis of ransomware risk that argues identity and access controls are essential to reducing disruption, lateral movement, and extortion impact.

Why it matters: It matters because ransomware response is no longer just a backup and recovery problem, it is an IAM, PAM, and access governance problem across human, NHI, and third-party identities.

By the numbers:

• In 2024, ransomware attacks were projected to cause over $40 billion in losses for U.S. organizations.
• In early 2023, the median ransomware payment was $200,000, and by July 2024, it jumped to $1.5 million.
• MGM Resorts reported that the cyberattack would cost the company over $100 million.
• The British Library announced it would use about 40% of its financial reserves, around £6–7 million, to recover from the attack.

👉 Read Imprivata's analysis of ransomware, identity controls, and business disruption

Context

Ransomware is not only malware that encrypts files. It is a business interruption mechanism that turns identity compromise, access sprawl, and weak privilege boundaries into financial pressure. In practice, the first question is rarely whether systems can be restored, but whether attackers can move laterally far enough to make disruption expensive.

For identity teams, the article sits squarely in the overlap of IAM, PAM, and NHI governance. The source argues that even a single compromised credential can create a chain of access that reaches critical systems, which is why access hardening has become a ransomware control, not just an admin convenience.

Key questions

Q: What breaks when ransomware operators can reuse one compromised identity across multiple systems?

A: Containment breaks first. A single reusable identity lets attackers move from entry to privilege escalation without triggering obvious anomalies, especially when access is broad or persistent. That is why ransomware resilience depends on eliminating standing privilege, shortening session scope, and ensuring compromised credentials cannot reach backups, admin planes, and vendor-connected systems.

Q: Why do service accounts and vendor access increase ransomware risk?

A: Service accounts and vendor identities often have broad, persistent, and poorly reviewed access, which makes them ideal for lateral movement after initial compromise. If those accounts are not tightly scoped, monitored, and offboarded, attackers can use trusted paths to reach critical systems and amplify disruption far beyond the first infected machine.

Q: How do organisations know whether ransomware identity controls are actually working?

A: Look for reduced privilege breadth, shorter-lived elevated sessions, and faster revocation when suspicious activity appears. If a compromised identity can still reach backups, security tooling, or production management systems, the controls are not working. Effective programmes can demonstrate that access is constrained before attackers can convert it into business interruption.

Q: Who is accountable when ransomware spreads through privileged access gaps?

A: Accountability sits with the teams that own identity governance, privileged access, and third-party access oversight, not only with incident response. If the programme allows standing privilege, unmanaged vendor access, or weak session control, the failure is structural. Frameworks such as NIST CSF and PAM governance should be used to assign clear ownership.

Technical breakdown

How ransomware turns one credential into enterprise-wide disruption

Modern ransomware campaigns often start with a single credential, phished password, stolen token, or exposed third-party account. Once inside, attackers do not need to break encryption immediately. They map reachable systems, locate privileged sessions, and abuse weak segmentation to expand access. The damage comes from the combination of data theft, service interruption, and negotiation leverage. Double extortion strengthens the pressure because encryption is only one part of the threat. The article’s examples show that ransomware now behaves like an identity-enabled business disruption event, not only a malware incident.

Practical implication: treat credential exposure and privilege reachability as ransomware indicators, not just incident-response details.

Why least privilege and PAM matter after initial access

The article correctly points to least privilege and privileged access management because ransomware operators often need only a short path from initial foothold to high-value systems. Standing privilege, broad admin roles, and weak session controls let attackers escalate quietly and persist longer. PAM is not only about restricting administrators, it is about containing what a compromised identity can do once it is active. For NHI environments, the same logic applies to service accounts, API keys, and vendor access that can be reused or chained into wider movement.

Practical implication: reduce blast radius by removing standing privilege and tightening privileged session controls before an intrusion becomes a ransomware event.

Why vendor and third-party access widens ransomware exposure

Third-party access is a recurring weak point in ransomware cases because external identities often sit outside normal review cycles and may retain access after the operational need has changed. The source’s mention of vendor privileged access reflects a real control gap: attackers frequently exploit trusted paths rather than attacking core infrastructure directly. Zero Trust controls, credential obfuscation, and session monitoring are relevant because they reduce trust in the access path itself. This is especially important when the access path belongs to a supplier, contractor, or managed service relationship.

Practical implication: bring third-party access into the same governance, monitoring, and offboarding discipline as internal privileged access.

Threat narrative

Attacker objective: The attacker aims to maximize disruption and extortion leverage by making business operations, data recovery, and incident response more costly than paying the ransom.

1. Entry occurs when attackers gain access through compromised credentials, phishing, or another trusted access path that bypasses perimeter defenses.
2. Escalation follows as they move laterally, locate privileged systems, and use broader access to reach backups, file servers, and operational systems.
3. Impact arrives when encryption, exfiltration, and service disruption combine to force downtime, ransom pressure, and expensive recovery work.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Ransomware is now an identity attack on business continuity. The article shows that encryption is only the visible endpoint of a much earlier access problem. Once an attacker can use a compromised identity to move laterally, the business is paying for privilege design failures, not just malware removal. Practitioners should therefore judge ransomware resilience by how quickly identity paths are contained.

Standing privilege remains the control failure ransomware operators rely on. The article’s emphasis on least privilege and PAM reflects a familiar pattern: once a compromised account can reach too much, recovery costs rise sharply. That is not a tooling problem alone, it is a governance problem about what access is allowed to persist. The practical conclusion is that standing privilege should be treated as recoverable attack surface, not normal operating state.

Third-party access without tight lifecycle control creates a hidden ransomware corridor. Vendor privileged access can become the easiest route from trust to disruption when offboarding, monitoring, and session oversight are weak. This is especially true where supplier access is broader than internal admin access and less frequently reviewed. The implication is that third-party governance must be folded into ransomware readiness, not handled as a separate procurement issue.

Identity controls change the economics of ransomware faster than backups alone. Backups matter, but they do not stop attacker movement, extortion pressure, or the operational damage that occurs before recovery begins. The article’s real signal is that MFA, least privilege, and PAM reduce the attacker’s ability to turn one compromised credential into enterprise-wide leverage. Practitioners should reframe identity hardening as a ransomware cost-control measure.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, 38% have no or low visibility, and a further 47% have only partial visibility, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• That same governance pattern is why ransomware readiness should be paired with lifecycle control, as outlined in NHI Lifecycle Management Guide.

What this signals

Identity blast radius: the useful metric is no longer just whether attackers got in, but how far a compromised credential can travel before it is contained. That is why ransomware strategy now belongs in IAM and PAM roadmaps, not only in backup architecture reviews.

With 45% of organisations citing lack of credential rotation as the top cause of NHI-related attacks, per The State of Non-Human Identity Security, the control pattern that matters is lifecycle discipline, not just incident response maturity.

Ransomware readiness increasingly depends on whether privileged access can be revoked and reviewed fast enough to matter. Teams that still treat vendor access, service accounts, and admin sessions as separate governance problems are leaving the same corridor open in three different forms.

For practitioners

• Constrain blast radius for every privileged identity Review which human, service, and vendor accounts can reach backups, domain tools, finance systems, and operational apps. Remove broad standing access and require task-scoped elevation where possible.
• Harden third-party access paths Put supplier and contractor accounts under the same access review, session monitoring, and offboarding discipline as internal admin access. Eliminate legacy vendor accounts that still have network reach.
• Treat MFA and passwordless as ransomware controls Prioritize phishing-resistant authentication for accounts that can move laterally or administer recovery systems. A compromised password should not be enough to start an incident chain.
• Rehearse containment before encryption spreads Test whether identity teams can revoke access, disable privileged sessions, and isolate management planes before ransomware operators complete lateral movement.

Key takeaways

• Ransomware succeeds when identity paths are broad enough for attackers to turn one credential into lateral movement and extortion leverage.
• The evidence in the article shows that ransomware costs are escalating sharply, with payments and business losses reaching very high levels.
• The most direct way to limit impact is to remove standing privilege, control third-party access, and make privileged sessions easy to contain.

Key terms

• Ransomware: Ransomware is malicious software or an attack campaign that blocks access to systems or data and then pressures the victim for payment. In modern incidents, encryption is often combined with theft, disruption, and coercion so the attacker can increase leverage before recovery is possible.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. In ransomware scenarios, it expands the damage of a single compromised credential because the attacker can immediately reuse broad permissions for lateral movement, backup interference, or administrative takeover.
• Privileged Access Management: Privileged Access Management is the governance and control layer for high-risk access such as administrator, vendor, and emergency accounts. It limits who can use elevated access, when they can use it, and what can be done in the session, reducing the blast radius of compromise.
• Vendor Privileged Access: Vendor privileged access is elevated access granted to third parties for support, maintenance, or managed services. It must be treated as a lifecycle-controlled identity because it can become a direct route into production systems if oversight, session monitoring, and offboarding are weak.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Protect your organization and stop ransomware attacks before they disrupt your business. Read the original.