Notifications
Clear all
Topic starter
25/06/2026 3:23 pm
TL;DR: Ransomware can cost U.S. organisations more than $40 billion, with median payments rising from $200,000 in early 2023 to $1.5 million by July 2024, according to Imprivata. The real lesson is that identity controls, especially MFA, least privilege, and privileged access containment, are now central to ransomware resilience.
NHIMG editorial — based on content published by Imprivata: Protect your organization and stop ransomware attacks before they disrupt your business
By the numbers:
- In 2024, ransomware attacks were projected to cause over $40 billion in losses for U.S. organizations.
- In early 2023, the median ransomware payment was $200,000, and by July 2024, it jumped to $1.5 million.
- MGM Resorts reported that the cyberattack would cost the company over $100 million.
Questions worth separating out
Q: What breaks when ransomware operators can reuse one compromised identity across multiple systems?
A: Containment breaks first.
Q: Why do service accounts and vendor access increase ransomware risk?
A: Service accounts and vendor identities often have broad, persistent, and poorly reviewed access, which makes them ideal for lateral movement after initial compromise.
Q: How do organisations know whether ransomware identity controls are actually working?
A: Look for reduced privilege breadth, shorter-lived elevated sessions, and faster revocation when suspicious activity appears.
Practitioner guidance
- Constrain blast radius for every privileged identity Review which human, service, and vendor accounts can reach backups, domain tools, finance systems, and operational apps.
- Harden third-party access paths Put supplier and contractor accounts under the same access review, session monitoring, and offboarding discipline as internal admin access.
- Treat MFA and passwordless as ransomware controls Prioritize phishing-resistant authentication for accounts that can move laterally or administer recovery systems.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of how ransomware incidents disrupt payments, retail operations, and public services
- The article's breakdown of how identity controls reduce lateral movement after initial access
- Detailed descriptions of enterprise access management, privileged access management, and vendor privileged access controls
- Context on the financial and legal consequences of recent ransomware incidents
👉 Read Imprivata's analysis of ransomware, identity controls, and business disruption →
Ransomware and identity controls: what IAM teams need to tighten?
Explore further
25/06/2026 4:54 pm
Ransomware is now an identity attack on business continuity. The article shows that encryption is only the visible endpoint of a much earlier access problem. Once an attacker can use a compromised identity to move laterally, the business is paying for privilege design failures, not just malware removal. Practitioners should therefore judge ransomware resilience by how quickly identity paths are contained.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, 38% have no or low visibility, and a further 47% have only partial visibility, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when ransomware spreads through privileged access gaps?
A: Accountability sits with the teams that own identity governance, privileged access, and third-party access oversight, not only with incident response. If the programme allows standing privilege, unmanaged vendor access, or weak session control, the failure is structural. Frameworks such as NIST CSF and PAM governance should be used to assign clear ownership.
👉 Read our full editorial: Ransomware resilience depends on identity controls, not just backups
