TL;DR: Ransomware groups are using lateral movement to turn single footholds into enterprise-wide disruption, with 4,848 publicly posted victims in 2024 and a reported $22 million demand in one pharmaceutical case, according to Elisity and the GRIT Ransomware Report. The control problem is no longer detection alone; it is constraining east-west trust before attackers can traverse the environment.
NHIMG editorial — based on content published by Elisity: The Hidden Highway on ransomware lateral movement and critical infrastructure risk
By the numbers:
- over 4,848 publicly posted victims in 2024 alone
- a ransom demand of $22 million
- 25% of successful ransomware incidents in 2025 involved lateral movement across networks
Questions worth separating out
Q: What fails when ransomware can move laterally across a network?
A: What fails first is the assumption that one compromised system can be isolated before the attack spreads.
Q: Why do stolen credentials make ransomware outbreaks harder to contain?
A: Stolen credentials matter because they turn the attacker into a valid user, which often bypasses basic trust checks.
Q: How do organisations know if lateral movement controls are actually working?
A: They work when a compromised endpoint cannot reach other critical systems by default.
Practitioner guidance
- Inventory east-west trust paths Map which users, service accounts, support tools, and workloads can reach crown jewel systems, then remove non-essential paths before ransomware operators can reuse them.
- Segment by identity and workload, not just subnet Use policy that restricts communication based on session identity and workload role so a compromised host cannot laterally reach unrelated systems.
- Harden privileged remote access Treat remote support platforms, admin shells, and help desk reset paths as high-risk access channels.
What's in the full article
Elisity's full blog post covers the operational detail this post intentionally leaves for the source:
- Named examples of lateral movement paths used in recent ransomware campaigns across healthcare, manufacturing, and pharma.
- Practical segmentation patterns for isolating production control systems, research networks, and backup infrastructure.
- Implementation detail on identity-based microsegmentation and how it reduces east-west reach without a full network redesign.
- Control examples showing how to detect and contain compromised remote access tools before they spread.
👉 Read Elisity's analysis of ransomware lateral movement and critical infrastructure risk →
Lateral movement in ransomware: what security teams need to stop now?
Explore further
Lateral movement is now the control failure that matters most in ransomware defence. The article’s core point is that a single foothold is no longer the event. The event is the attacker’s ability to traverse trusted paths faster than defenders can detect and isolate them. That shifts the governance question from perimeter breach to east-west containment, which sits squarely at the intersection of IAM, PAM, and segmentation. Practitioners should judge their programme by how much compromise can spread, not by how quickly one host can be rebuilt.
A question worth separating out:
Q: Who is accountable when ransomware spreads through trusted internal access?
A: Accountability usually spans IAM, PAM, network security, and operational owners because the failure is cross-domain. If remote access is over-permissive, privileged paths are not lifecycle-managed, or segmentation is incomplete, the organisation has governance gaps, not just a malware problem. Frameworks such as NIST SP 800-53 and MITRE ATT&CK help assign those control responsibilities.
👉 Read our full editorial: Ransomware lateral movement is the real critical infrastructure risk