TL;DR: Black Basta, Akira, and LockBit all depend on lateral movement to turn one compromised endpoint into enterprise-wide disruption, with IBM reporting a $4.88 million average breach cost and 292 days to identify and contain credential theft cases. The defensive question is no longer detection at the perimeter, but whether identity, segmentation, and privileged access controls can stop east-west spread before critical systems are reached.
NHIMG editorial — based on content published by Elisity: How to Stop Lateral Movement in Black Basta, Akira, and LockBit Ransomware Attacks
By the numbers:
- According to IBM's 2024 Cost of a Data Breach Report, the average cost of a data breach reached $4.88 million globally, with breaches involving stolen credentials taking 292 days to identify and contain.
- Security leaders at organizations with 3,000+ connected devices face a sobering reality: 70% of organizations experience significant business disruption from breaches, and attackers leveraging lateral movement now appear in over 70% of successful ransomware campaigns.
Questions worth separating out
Q: What breaks when ransomware can move laterally after one endpoint is compromised?
A: Containment breaks, because one compromised identity can reach the systems that keep the business running.
Q: Why do standing privileged accounts increase lateral movement risk?
A: Standing privilege gives attackers reusable access paths once they capture credentials or a remote session.
Q: How do security teams know whether segmentation is actually limiting ransomware spread?
A: Test whether a compromised workstation can reach high-value assets without an approved jump host or management network.
Practitioner guidance
- Map east-west privilege pathways Identify which identities can reach domain controllers, backup systems, virtualization management, and OT or IoMT segments, then remove unnecessary pathways and document the approved administrative routes.
- Restrict administrative protocols to jump hosts Allow RDP, SMB, WMI, PsExec, and remote management tools only from controlled administration networks, and alert on any use outside those pathways.
- Convert standing admin rights to JIT elevation Replace persistent privileged accounts with time-bound elevation, phishing-resistant MFA, and approval logging for high-risk actions so stolen credentials have less utility during an active intrusion.
What's in the full article
Elisity's full analysis covers the operational detail this post intentionally leaves for the source:
- Protocol-by-protocol guidance for controlling RDP, SMB, WMI, PsExec, and remote access tools across administrative pathways
- A 90-day implementation roadmap for segmentation, privileged access, and detection across large device estates
- Sector-specific containment considerations for healthcare, manufacturing, and industrial environments
- Practical examples of how identity-based microsegmentation maps to ransomware blast-radius reduction
👉 Read Elisity's analysis of how to stop ransomware lateral movement →
Lateral movement in ransomware attacks: are your controls keeping up?
Explore further
Lateral movement is the control failure that decides whether ransomware is a nuisance or a shutdown event. Black Basta, Akira, and LockBit all depend on internal reach after initial access because enterprise trust models still assume that authenticated traffic inside the network is lower risk than external traffic. That assumption no longer holds in flat or weakly segmented environments. Practitioners should treat east-west containment as a primary security objective, not a secondary detection problem.
A few things that frame the scale:
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to the 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: Who is accountable when ransomware spreads through internal trust relationships?
A: Accountability sits across IAM, PAM, network engineering, and platform owners, because the failure is cross-domain. NIST SP 800-53 Rev 5 and the NIST Cybersecurity Framework both require access control and protective architecture that reduce blast radius, while operational teams must prove those controls are enforced.
👉 Read our full editorial: Lateral movement in ransomware is the real blast-radius problem