Notifications
Clear all
Topic starter
09/06/2026 11:37 pm
TL;DR: Ransomware still causes lockouts, financial loss, and operational disruption, and Netwrix frames the problem as an identity and access failure from initial access through lateral movement and payload deployment, with real-world case studies showing where organisations commonly break down. The lesson is clear: attack paths exploit permission debt, not just malware.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams reduce ransomware risk through identity controls?
A: Start by mapping which credentials, service accounts, and admin roles can provide the first foothold and then expand into lateral movement.
Q: Why do non-human identities matter so much in ransomware incidents?
A: Non-human identities often hold the permissions attackers need to enumerate systems, reach data stores, and trigger automation at scale.
Practitioner guidance
- Map ransomware entry paths to identity controls Trace how attackers could enter through exposed credentials, weak remote access, or unmanaged service accounts, then identify which authentication path would fail first under real attack pressure.
- Reduce standing privilege in admin and service accounts Remove persistent access where tasks do not require it, and segment administrative roles so one compromised identity cannot reach backup, security, and endpoint management systems.
- Inventory identities that can move laterally List accounts, tokens, and service identities with cross-system reach, then review whether they can enumerate shares, reset credentials, or invoke remote tooling beyond their business purpose.
What to expect at the briefing
Netwrix's full webinar covers the operational detail this post intentionally leaves for the source:
- The attack walkthrough from initial access to payload deployment, including the sequence used by real-world ransomware crews
- Speaker-led examples of where organisations commonly fail during lateral movement and access expansion
- The case study material showing how attackers think when they target identity, recovery, and security tooling
- The on-demand format if you need to brief your team without waiting for a live session
👉 Watch Netwrix's on-demand webinar on ransomware tactics and entry points →
Ransomware entry points and lateral movement: what IAM teams miss?
Explore further
10/06/2026 2:00 am
Ransomware is an identity event before it is a malware event. The webinar’s attack-chain framing is correct because ransomware operators succeed by turning legitimate access into propagation, not by relying on payload strength alone. That means identity design, privilege scope, and recovery isolation are as decisive as endpoint protection. Practitioners should treat ransomware readiness as a test of access architecture.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: What should teams do immediately after discovering ransomware access?
A: Contain the identity path before focusing on payload cleanup. Disable exposed credentials, revoke active sessions, isolate privileged accounts, and protect backup and security-tool access so the attacker cannot continue moving or block recovery. The urgent goal is to stop further use of legitimate access.
👉 Read our full editorial: Ransomware attack paths expose identity gaps in access and movement
