Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Lateral movement in ransomware: what security teams need to stop now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Ransomware groups are using lateral movement to turn single footholds into enterprise-wide disruption, with 4,848 publicly posted victims in 2024 and a reported $22 million demand in one pharmaceutical case, according to Elisity and the GRIT Ransomware Report. The control problem is no longer detection alone; it is constraining east-west trust before attackers can traverse the environment.

NHIMG editorial — based on content published by Elisity: The Hidden Highway on ransomware lateral movement and critical infrastructure risk

By the numbers:

Questions worth separating out

Q: What fails when ransomware can move laterally across a network?

A: What fails first is the assumption that one compromised system can be isolated before the attack spreads.

Q: Why do stolen credentials make ransomware outbreaks harder to contain?

A: Stolen credentials matter because they turn the attacker into a valid user, which often bypasses basic trust checks.

Q: How do organisations know if lateral movement controls are actually working?

A: They work when a compromised endpoint cannot reach other critical systems by default.

Practitioner guidance

  • Inventory east-west trust paths Map which users, service accounts, support tools, and workloads can reach crown jewel systems, then remove non-essential paths before ransomware operators can reuse them.
  • Segment by identity and workload, not just subnet Use policy that restricts communication based on session identity and workload role so a compromised host cannot laterally reach unrelated systems.
  • Harden privileged remote access Treat remote support platforms, admin shells, and help desk reset paths as high-risk access channels.

What's in the full article

Elisity's full blog post covers the operational detail this post intentionally leaves for the source:

  • Named examples of lateral movement paths used in recent ransomware campaigns across healthcare, manufacturing, and pharma.
  • Practical segmentation patterns for isolating production control systems, research networks, and backup infrastructure.
  • Implementation detail on identity-based microsegmentation and how it reduces east-west reach without a full network redesign.
  • Control examples showing how to detect and contain compromised remote access tools before they spread.

👉 Read Elisity's analysis of ransomware lateral movement and critical infrastructure risk →

Lateral movement in ransomware: what security teams need to stop now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Lateral movement is now the control failure that matters most in ransomware defence. The article’s core point is that a single foothold is no longer the event. The event is the attacker’s ability to traverse trusted paths faster than defenders can detect and isolate them. That shifts the governance question from perimeter breach to east-west containment, which sits squarely at the intersection of IAM, PAM, and segmentation. Practitioners should judge their programme by how much compromise can spread, not by how quickly one host can be rebuilt.

A question worth separating out:

Q: Who is accountable when ransomware spreads through trusted internal access?

A: Accountability usually spans IAM, PAM, network security, and operational owners because the failure is cross-domain. If remote access is over-permissive, privileged paths are not lifecycle-managed, or segmentation is incomplete, the organisation has governance gaps, not just a malware problem. Frameworks such as NIST SP 800-53 and MITRE ATT&CK help assign those control responsibilities.

👉 Read our full editorial: Ransomware lateral movement is the real critical infrastructure risk



   
ReplyQuote
Share: